Consolidated Malware Sinkhole List

A common practice of researchers studying a piece of malware is to seize control of its malicious command and control domains, then redirect traffic to them to benign research servers for analysis and victim notification. I always highly recommend monitoring for traffic to these sinkholes – it is frequently indicative of infection.

I’ve found no comprehensive public list of these sinkholes. There have been some previous efforts to compile a list, for instance by reverse engineering Emerging Threats Signatures (mikesxrs – I hope this answers your questions, a little late!). Some sinkholes are documented on the vendors’ sites, while others are clearly labeled in whois data, but undocumented. Still others are only detectable through behavior and hearsay.

Below, I share my personal list of publicly-noted sinkholes only. Please understand that with few exceptions I have not received any of this information from the vendors or organizations mentioned. It is possible there is some misattribution, and addresses in use do change over time. This is merely intended as a helpful aid for threat hunting, and there are no guarantees whatsoever.

Before we proceed, credit where credit is due:

I am certainly not claiming credit for this entire list. There are many smart people out there who provided partial data and clues.

http://www.kleissner.org/ maintains fantastically useful lists of command and control servers for numerous botnets. Within those lists, a number of sinkholes are attributed to specific organizations, some of which I could and could not independently verify.

The extremely talented Miroslav Stampar has quite a few sinkholes identified within his maltrail malicious traffic detection tool.

Many, many Robtex, DomainTools, and VirusTotal queries and a lot of Google search hacking went into compiling and cross-checking this list. Michael B. Jacobs has written a terrific paper  which covers some of the methodologies I used to detect and confirm undocumented sinkhole servers through DNS and behavioral analysis.

There are more detailed databases of sinkholes, but they tend to be access-restricted and contain data I will not repost for confidentiality reasons. My list is fully OSINT-based and can be reproduced with time and effort.

Here’s the current list:

If you have any corrections to offer either as one of these organizations or an independent researcher, please contact me and I will give credit in this blog accordingly.

 

College and Infosec: To Degree or not to Degree?

So, you love to hack, and you’re going to get that dream job in infosec! Except, now what? A wide array of certification firms and colleges are willing to sell you an infosec program, with shiny advertisements and clever sales pitches. Unfortunately, college is massively expensive in the US, and the learning environment isn’t great for everybody. Is it worth the money and effort to get that Bachelor’s in Cybersecurity? Will a degree in an unrelated field do the trick? Will not getting a degree come back to bite you years later?

***

College degrees. I’ve found few topics aside from vulnerability disclosure in information security which raise so much raw emotion and fierce debate. In the interest of giving a well rounded and diplomatic answer about their value, I’ve once again asked several exceedingly qualified people to join me in sharing their time, experience, and ideas on the subject. Through a series of ten questions, each of us has weighed in on some hefty questions about the value of college education in learning about information security, getting an information security job, being promoted, and showing credibility.

Please allow me to introduce today’s contributors, who have generously contributed their time and thoughts:

Daniel Miessler, I’ve been in information security for around 18 years, with most of my time in technical testing (thick, app, web, mobile, IoT) and consulting. I lead OWASP’s Internet of Things security project and run a website, podcast, and newsletter where I talk about infosec, technology, and humans. More at https://danielmiessler.com/about.

Tarah M. Wheeler, Tarah Wheeler (BA, MS, CSM, CSD) is Principal Security Advocate & Senior Director of Engineering, Website Security at Symantec. She is the lead author of the 2016 best selling Women In Tech: Take Your Career to The Next Level With Practical Advice And Inspiring Stories. She co-founded and now serves as board chair for Fizzmint, an end-to-end employee management company. She has led projects at Microsoft Game Studios (Halo and Lips), architected systems at encrypted mobile communications firm Silent Circle, and holds two agile development certifications through the Scrum Alliance. She founded Red Queen Technologies, LLC & Infosec Unlocked. She acquired her startup funds by cleaning out poker rooms in the Northwest and Las Vegas. Reach her at @tarah.

Robert Sheehy, @helpmerob. Helping “people” with “stuff” while holding a senior management role in infosec.

Space Rogue, Looks like everyone else is putting their corporate bio here, uggh. I’m just some guy, ya know? I’ve been around for a while and I’ve done some stuff. I currently work as a Strategist for Tenable, [@spacerog http://www.spacerogue.net]

Chris Sanders, Chris Sanders is an information security author, trainer, and researcher. He is the founder of Applied Network Defense, a practitioner focused information security training company, and the Rural Technology Fund, a nonprofit devoted to providing technical education resources to rural and high poverty schools. He is the author of the best-selling security books Applied Network Security Monitoring and Practical Packet Analysis. He also hosts the Source Code Podcast., [@chrissanders88, http://www.chrissanders.org]

Jessica Hebenstreit (@secitup),  I’ve been doing security for almost 17 years.  I got a lucky break early in my career at Motorola as an Intern and have been doing InfoSec ever since. I’ve done a lot of different roles in a few different verticals.  I always come back to Ops and IR. Creator of the DREAMR framework, speaker and volunteer.  I am active in the security community and enthusiastic about making the industry more inclusive and accessible. https://twitter.com/secitup/  https://www.linkedin.com/in/jessicahebenstreit/

Without further ado, let’s launch into some of the most contentious questions about career paths in the industry!

***

  1. First of all, the elephant in the room – did you go to college or university yourself? If so, did you get your degree before or after you started formally working in security?


    Jessica: In short yes.  However my academic career was varied, and longer than a traditional “4 years”.  I started at Iowa State University in the Computer Science program.  After a couple of major changes (because I am not great at coding and suck at math), along with study abroad experiences and transferring to Arizona State, I graduated with a Bachelor’s degree in Interdisciplinary studies with a focus on International Business and Spanish.  I was fortunate to start working in security as an Intern at Motorola for 3 years prior to graduation.  I was offered a full time role that I began prior to actual graduation.  I also have a Master’s degree that I obtained in 2012.

    Space Rogue: I started school like everyone else but quickly ran out of money despite the GI Bill.. I was able to get good paying IT jobs anyway and figured I didn’t need a degree. Then one of the many recessions in my career hit, I found myself out of work with few opportunities. I could almost always get an interview based on my resume and experience but on more than one occasion after the third or fourth interview I was asked, “So I don’t see a degree on your resume, do you have one?” I would answer truthfully, “No, but I have years of experience and have done all these great things, blah blah.” and I was told “Thank you very much, we’ll call you.” After the fourth time in a row that this happened I decided I needed to get a degree. It took me several years of online and night classes but I finally graduated.

    Chris: I had an opportunity out of high school to take a computer network consulting job that would have put me in the top 1% of earners in Mayfield, KY. Of course, that was making 40K/year as Mayfield is a very rural, high poverty area. I’m fortunate that I had a few teachers who really cared about me and got it through my head that my ceiling was much higher and a degree would help me realize that. I ended up completing my bachelor’s, master’s, and am currently working on my PhD. I couldn’t afford college and didn’t receive nearly enough financial aid to pay for it all, so I worked full time (and then some) while working through all of my degrees.

    Robert: I received a two year degree in computer programming, although I have been considered a hacker since my early teen years. I’ve undertaken a significant number of independent studies since getting my degree, most of which did not result in a formal credential. I’ve taken and passed well over three dozen various IT and infosec certification exams, with close to a dozen still being active. Most of them demonstrate a minimal understanding of baseline requirements and not of advanced expertise. I feel that some people are way too proud of their credentials and certifications.

    Tarah: I went to college before formally working in infosec, though I’d been doing hardware assembly and servicing since 16 and coding since I was about 19. I got degrees in international relations and political science with quantitative elements. I have a BA and an MS, and in my experience, no one at all cares if those degrees are in cybersecurity or not. They’re an absolutely indispensable box tick when it comes to getting past HR, however.

    Lesley: I hold two Associate’s degrees (Avionics and Electronics) which were more an accidental byproduct of completing a lot of coursework than anything else. My Bachelor’s is in Network Engineering. I received it before working in infosec formally and after joining the military (thank you, G.I. Bill!). There weren’t really any security specific degree programs yet at the time.

    Daniel: I did go to college, for four years, but I left before graduating to start my professional career in infosec without a degree. I’ll be completing my bachelors soon and moving on to a Masters. At this point it’ll be just to check the box and for the fun of it.


  2. Based on your experiences hiring entry to intermediate-level infosec professionals and working in the field yourself, where do you fall on the spectrum of extremely pro-college, somewhat pro-college, neutral, somewhat anti-college, or extremely anti-college?


    Chris: Somewhat pro-college. I think everyone can benefit from being surrounded by a group of people who are devoted to learning. However, I recognize that it isn’t for everyone and finding the right faculty/college/program is non-trivial. All things being equal, if I’m choosing between two candidates I will go with the person who has a college degree.

    Tarah: Somewhat pro-college. I don’t think in any way that college is a prerequisite for being in security. I think it’s a startling leveller when it comes to diversity in technology, and one of the challenges employers are always facing is how to justify hiring someone who doesn’t “look” like a hacker or coder. I have, in my several previous positions, had to fight like a dog to get a woman or a person of color or someone queer to get hired, and sometimes the only ammunition I have is that they have a degree, and the more stereotypical (and often less-well qualified or experienced person) doesn’t. When I’ve been the CEO, I could just say “you’re hired,” but when I’ve been in a hierarchy, I have had to, in the past,  justify my decisions to a structure that doesn’t always understand the hacker mindset.

    Space Rogue: Neutral. Personally I would rather hire someone with at least some experience than just a college degree. I am always looking for someone who has done something, anything, real as opposed to just book learning. But I also realize when it comes to hiring managers I’m probably a bit of an anomaly. As infosec as an industry matures it is becoming more and more difficult for entry level people to stand out amongst the crowd. There is a lot of talk about the talent shortage in infosec but that really only applies to the mid and high level. The entry level is awash with people just finishing college with their newly minted degrees all looking for some way to stand out.

    Robert: Neutral. There needs to be experience outside of school for anything beyond entry level. Without experience, a credential can help to demonstrate that the candidate can see through a formal curriculum program to completion.

    Jessica: Somewhat pro-college, I believe some are “late bloomers” and that college right out of high school may not be for everybody.  I think more doors are opened for college degrees. I also think college gives one a variety of experiences and challenges one might not encounter otherwise.  I also realize college is expensive, at least in the US and for that reason alone can be out of reach for some folks.  I am still deeply in debt for my degrees.

    Lesley: Somewhat pro-college. I see more benefits than negatives, but it’s not for everybody and it’s extremely expensive in the US.

    Daniel: Somewhat pro-college. There are skills you can get from university that you don’t usually get other places, but it shouldn’t be considered a must for most infosec positions. This is something Google figured out when they did their big study of what variables make people successful. They expected to find that great colleges produced the best workers. Or people with the best grades, or who interviewed best. But no–they found few correlations with any of this stuff, and they were forced to accept that there’s no magic variable to any of it. Their people who went to college or didn’t, or went to a small school vs. a big famous one, didn’t show much difference in their performance. It turned out to be all about the management of the team that made the difference, but that’s a story for another day.


  3. What are some skills, motivations, and credentials that stand out to you the most on a entry level infosec résumé (before the first phone screen)?


    Space Rogue: I look for anything done outside of school that is relevant to the job. I want to see some kind of passion for the work, at the entry level it doesn’t have to be much but something. If the resume is nothing but degrees and certs and zero extracurricular things they will unlikely get an interview from me. If a person has no relevant work history at all then I want to see non-relevant work history. To me work history, any history, beats formal education every time.

    Chris: I don’t expect much out of an entry-level resume and put very little stock in them. I rely much more heavily on the interview and wind up interviewing most of the people who apply to an entry-level posting. Hiring is the most important decision I make, so it’s well worth the time spent. As far as resume content, it’s an entry-level job, so I don’t expect them to be passionate or display that on the resume yet. I want them curious, and then as their manager it’s my job to help them evolve that into passion. That said, if someone has already started learning about the field I think it’s great to list what they’ve been learning, how they’ve been learning it, and who they’ve been learning it from. I also value resumes that show involvement in service projects. People who have a servant leadership mindset and are willing to give of themselves are the type of people I want to work with.

    Tarah: Have they built a computer from parts to booting? Have they contributed to an open source project…even so much as a pull request to fix a typo? Have they built a website? Have they tried to harden their home network? Have they ever demonstrated that they’re willing to help others by posting blogs or information or answers? I don’t much care if they feel like they’re good people or if they love animals. I care what they can *do*. No one can hire solely on potential; you must demonstrate some of your ability.

    Jessica: Passion for the industry is something I definitely look for.  Personal projects that one can speak to such as those on github, or a blog.  Competing in things like CTFs or other contests, volunteering and other involvement in conferences, competitions or other projects show a passion for industry.  

    Robert: Personal initiative and interest in information security. The best professionals are passionate about what they do.

    Lesley: Speaking, presenting, competing, or working at infosec conferences. Other participation in the security community through projects or meet-ups. Some type of dedicated coursework that demonstrates good systems and networking fundamentals, or equivalent work experience in another IT field. Some college is a plus, but the degree doesn’t have to be technical. Overall, I look for motivation to learn and succeed.

    Daniel: Having a website or other home for projects you’ve created or helped with. Projects show passion, and passion is a powerful force for improvement. If you’re actively working on projects in your field there are few things that are more compelling to a hiring manager than seeing actual fruit of that curiosity and skill.


  4. Can you think of a situation in which you might recommend that an entry-level person who is interested in security not get a degree?


    Space Rogue: I don’t think I could recommend anyone not get a degree ever, not in today’s job market. In the 90’s and early 2000’s almost nobody had an infosec degree because infosec degrees did not exist. Everyone was self taught so if you didn’t have an infosec degree you were no different than anyone else. Infosec or more accurately ’cyber’ degree programs exist at just about every college and university today. If you decide to not get a degree you will be at a pretty big disadvantage compared to everyone else competing for the same entry level job. That said, if your resume makes it to my inbox I won’t really care if you have a degree or not if your resume shows that you have the experience and or skills for the job. But then I’m probably not the hiring manager for the job you are applying for.

    Chris: I had to work 60+ hours a week to pay for college and even then I still have fond memories of standing in Wal-Mart calculating what foods had the best dollar/calorie ratio so I could spend as little on food as possible. You have to REALLY want it sometimes (or just be deathly afraid of failure). If you have hardship to deal with, whether financial or family, you have to figure out how much pain it will cause you and whether the upside reward is worth it. For some people, it simply isn’t.

    Tarah: No. Sure, save money and do some at a community college, do the GI Bill, do a state school and be a big fish in a little pond…but I simply cannot in good conscience knowing what today’s job market looks like and how overheated cybersecurity hiring is going to be for the next ten years recommend that someone not get a degree. Note here that I don’t give a damn what your degree is in. Neither will anyone else past possibly a couple of people in your first entry level jobs. Just get one. And get an MS if you can. It’ll pop your earnings drastically long term and is  a HUGE leveller for diversity in tech.

    Jessica : No, I’ve spent quite a bit of time thinking about this question recently and I really cannot come up with a scenario where I would recommend not getting a degree. Even if you have to go part time while you work and it takes years and years, I strongly believe you will be better off in the end with the degree.  I think there are definitely outliers that find vast success on skill and reputation alone, but those folks are few and far between (you know “outliers”).  I’m seeing more and more organizations that are putting in hard and fast degree requirements, particularly in healthcare and high education, without which you will quickly reach a ceiling.  I’ve seen this ceiling as low as not going past a Senior Analyst/Engineer without a degree.

    Robert: College degrees are only one way to show that you’re well rounded and take your professional development seriously. An individual’s personal situation and experience must be considered in respect to what is the best focus of their professional development efforts. Particularly if student loans are involved, the long term debt accumulation might not be worth it. Focusing instead on a certification could serve as a first helpful step towards gaining that first position in infosec.  If working as a contractor it might be wise then to defer schooling even further in your carrier until obtaining a permanent position that offers tuition assistance. With professional momentum and outside self study, you might get to the point in your career where your professional experience are accepted as substitute for the formal accreditation. World travel, for example, can be used to demonstrate educational sophistication in lieu of a degree.

    Lesley: If they’re only interested in the money or prestige as opposed to the work, or they haven’t done anything to learn about the field before launching into a degree. Also, if they already have a strong network of infosec contacts and going to school would interfere with taking a great opportunity immediately. Lastly, if it’s a significant long-term financial burden, college may simply be unfeasible.

    Daniel: If they already have some significant level of skill that makes them competitive and they’re being offered a job in the field similar to what they’d get when they graduated. Even then, if it would be relatively painless, I’d say get the degree just to have the checkbox, but if it’s overly difficult and you already have the skills required to get a job, go for it. It all depends what you’re looking for. If you just want to get into the field, you can do that. But if you want to make it to the top at a big company, you’ll probably need a bachelor’s and/or masters.


  5. If an entry or intermediate-level infosec person chooses not to get a degree, what are steps do you suggest he or she take to mitigate this when applying for jobs or promotions (which may state college as a requirement or preference)?


    Space Rogue: My first bit of advice is to realise that without a degree there are some jobs where your resume just won’t make it past the first level of HR. However if it is a job that I am hiring for and your resume can actually make it to my inbox then I will want to see some sort of experience. Something that says you are really interested in this line of work, volunteering at an infosec conference, a github project, contributions to an OSS project, participating in the local citysec meetup, something, anything.

    Chris: While this may be an unpleasant fact of life, not having a degree may affect your ceiling because some organizations value it. However, for the job seeker there is a benefit that infosec is in a skilled worker shortage. If you can develop skills in areas where need exists, you can find a job. However, you need to be able to show those skills in some way. For some people that might be a certification, for others it might be a github repo showing a project, and for others it might be a blog. Once you establish one or more of those things, focus on connecting with real people instead of relying on HR gatekeepers and automated systems. Do your research, find people working in or hiring for roles you want, and reach out to them. Even if it doesn’t lead to an immediate job, you might find a mentor or build a long-lasting relationship.

    Lesley: Network, network, network. You’re going to get blocked at a number of HR filters, which are automated and unforgiving. So, your hopes lie with name recognition with hiring managers who can tweak postings for you or somehow bypass the computer. This means proving your competence through projects, community participation, and being articulate. Currently we’re in a skill shortage, which plays in your favor in this scenario. This gap is decreasing, starting with entry level as more people graduate from cybersecurity training and degree programs. Certain geographic markets will take longer to catch up than others, so looking outside your local area may help.

    Robert: It is not a degree by itself that makes someone qualified for a senior position, rather they serves as a proxy to be used by the hiring managers to measure capability. This requirement can be substituted, but constructing the best argument to support your personal experience as a worthy substitution is completely on the individual. Non-traditional education can stand for formal degrees, but it may require a substantial effort to make the case for your specific goals, and are likely to require repeating every few years.  Always address any concerns about an educational deficiency in your resume head on when pursuing a new roll. It can go a long way to submit a well written statement in response to any concerns that you’re willing to obtain whatever credential is expected while working in the position, along with spelling out in detail how your specific personal accomplishments and experience directly address the traits your target is hoping are demonstrated by having the degree requirement.

    Tarah: Get good and get well-known for it. Get a CISSP, which is the bareass minimum you’d need to get past HR without a degree at some infosec jobs. Network your ass off because without a degree, you’ll suffer for recruiters contacting you. Figure out how to get some publicity. You must, must, must begin speaking and teaching widely.

    Jessica: First of all take a long hard look at where you want your career to go long term.    I think these decisions are made with a short to medium term outlook.  Come to peace with the fact that you are likely closing doors and limiting your upward mobility.  That said, get certs CISSP is a must to get past HR, I also recommend several SANS certs, maybe the OSCP, depending on which area in security you want to be.  Lastly, get your name out there, network, get on twitter volunteer and/or speak at every conference you can.

    Daniel: If they’re just starting out and don’t have a degree they’re going to need to show proof of existing skill. That usually means blogging and projects showing your abilities. Show vs. tell is a powerful concept in today’s market.


  6. Conversely, can you think of a situation where you might suggest to an infosec candidate that he or she should get a degree? If so, which skills would this most enhance?


    Daniel: I’d say get a degree if it’s at all easy for you to do so. If it’s paid for. If it’s an easy program. If your friends are there anyway. Etc. If it’s not going to put you out too much, or if you don’t have any skills at all and you need to learn fundamentals in a structured way. The other advantage is just rounding out your writing, general education, etc., which are important for advancing to later career stages.

    Space Rogue: Getting a degree is not going to hurt you. You will never be disqualified from a job because you have a degree. It is possible to get a degree without spending fortune and going into debt. You can either get a degree to actually learn something or you can just get the piece of paper. Either way a degree can only help you. If you are going to spend the time and money to get the degree you should try to actually learn something. I would focus on any hands on classes where you can actually work with production systems, even if they are simulated. Learn to code. Any class that allows, no, encourages you to break things.  

    Lesley: When you can’t fill more than half a page, single spaced on your resume with IT-relevant skills or experience, it’s definitely worth considering. Also, some companies and government agencies value degrees very highly as a corporate culture, and degrees may be tied fundamentally into future promotions or pay raises. If you’re looking to join one of those organizations, or you want to stay in one, it may be time to start planning ahead. Finally, if you have G.I. Bill or your employer pays a significant portion of tuition fees, it’s prudent to not waste free money.

    Chris: If you are capable of getting a degree, you should do it. There are immense benefits to being surrounded by people whose goal is to both teach and learn. Not only might you actually learn something, you’ll also learn how to think differently and be exposed to viewpoints differing from your own. In real life you have the option of filtering out people who you don’t agree with. In academia, that is a lot harder and it forces you to think about things you’re not used to thinking about. This also makes you better at debating, presenting information, and incorporating new information into your existing viewpoints.

    Robert: College can be fun, you can learn a lot, and start networking with other future professionals early. What degree you get likely does not matter for a career in infosec, but I would recommend sizing any opportunity to get a degree if it does not come with a significant debt burden.

    Tarah: Getting a degree cannot possibly hurt you. The Pareto-optimal solution is to get a bachelors in any field as cheaply and as rapidly as you can. Unless you are graduating top of your class in CS at Stanford or MIT, no one cares.

    Jessica: Getting a degree, any degree is not going to hold you back. If you have a desire to someday move into leadership a degree is going to help to facilitate that.  I know a lot of folks in security that do not have technical degrees; archaeology, accounting, psychology, business, women’s studies to name a few. I also know several folks that didn’t get a degree and are now finding roadblocks to advancement because of it and are now going back in their late 30’s and 40’s to get the degree while also now balancing a job,  spouse, kids, etc. which makes it that much more difficult.


  7. Assuming an entry or intermediate level infosec person has decided to get a degree, do you find more value in non-technical degrees or technical degrees? Is there any value in a minor in a different field? Does it matter at all from your perspective or management’s?



    Daniel: I think technical degrees are preferred. CS is preferred but CIS (what I did mine in) are also solid. The more you get away from those the less value it’ll have for infosec jobs. But keep in mind that many companies are just looking for the bachelors checkbox. This matters most if you’re looking to a formal hiring process at a very large or prestigious company, where CS and CE are preferred.

    Space Rogue: If you just want to pass the first entry gate of HR then get a degree in basket weaving or creative writing or philosophy. The automatic system scanning your resume won’t care and will sort your resume into the ‘with degree’ pile. Assuming you focus on a ‘cyber’ degree your minor will depend on what your long term goals are. If you want that CSO/CIO job in 20 years then look at a business or even accounting minor but I wouldn’t discount an art history or western civ minor either. You might be surprised at what lessons from other fields can be applied to infosec.

    Lesley: What you gain from a degree is much more fundamental than technical minutiae, which becomes obsolete quickly. Lots of skills one learns in college are ubiquitous across majors. Business, language, and communication courses provide important insight in our field. From a technical degree, you should concentrate on gaining a solid understanding of how things work at a fundamental level: programming, the telecommunications infrastructure, attack vectors, and common system architectures. Learning how to use a specific tool is rarely helpful after a couple years, and I see few course curricula that aren’t already several years out of date. You should be learning how to think logically, continue learning, and express your thoughts professionally.

    Chris: The unfortunate fact of our industry is that most university degrees don’t actually teach the skills necessary to do the job well. There are a few pockets of excellence and great instructors scattered here and there, but they are rare. Traditional computer science is great at building engineers and programmers, but not information security practitioners. Dedicated programs for information security are often dramatically out of date and focus on the wrong things. For that primary reason, I urge people to get degrees in other things while studying infosec through non-traditional means. This also has an added benefit of bringing “outside” perspective into information security, which is much needed and helps set you apart. I perk up when I meet someone who has a degree in physics, psychology, engineering, english, or something completely unrelated to tech. I can’t wait for the day where I feel good recommending people pursue information security degrees, but that day isn’t today. You can come from anywhere and be an effective infosec practitioner, but the ability to think in a way that is unique from your peers will help you move up quicker in many cases.

    Tarah: There’s a hack here. The hack is to get your degree in whatever you can get paid for or most cheaply–and to take research methodology or EECS or applied math courses alongside. This is what I did. I have a decade and a half of technical coursework that bumped my skills to next level in math, data structures, computer science, electrical engineering, social network and complexity theory, etc. You can pick and choose what you emphasize as you speak to employers. I personally find that people with philosophy degrees make magnificent programmers, and people with math degrees make magnificent philosophers.

    Jessica:  Get any degree.  I think there is something to be said for applying ideas and learnings from one field to security.  I started out in a technical program (computer science), but had a hard time with programming classes (I took intro to C++ 3 times) and math classes (Calculus I 3 times as well!) and it wasn’t feasible for me to continue this path.  I went into my manager at Motorola where I was interning and she said something along the lines of:
    “Jessica – you have a job here but you have to graduate at some point.  I can’t hire you without your degree and you can’t continue as an intern without being in school. You work for a multinational corporation get ANY degree that could be applicable.”

    I then scoured the course catalog and settled on International Business and Spanish.  There is a lot to be said about being well rounded and not having all of your knowledge in one basket.  I’ve also never had an interviewer ask “why International Business and Spanish; not CS/CIS/MIS/etc.?”

    Robert: Since any degree is unlikely to actually provide you the core skills you need to be successful in infosec, the degree pursued is insignificant. I’d recommend taking a topic you find interesting that you will see through to completion.


  8. Considering candidates you’ve interviewed and current cybersecurity curricula at a variety of institutions, would you recommend cybersecurity-specific degrees at all? What would you consider some indicators of a good and/or a bad infosec degree program?




    Daniel: I generally judge programs by big vs. unidentifiable names. If it’s a big name school, or a big CS school, that’s a plus. If it’s a no-name school then it’s just a CS checkbox, which is still positive. Most of the benefit of someone from a big name school is the fact that they got accepted in the first place.

    Space Rogue: To be honest I am not super familiar with the various programs that are out there. I know some are a lot more hands on than others but if I am looking at a resume I am unlikely to research your school to see how good of a program they have because frankly I don’t care. However, if you are looking to actually learn something then look for a program that has additional certifications. Something like the NSA’s National Centers of Academic Excellence in Cyber Defense or other certification.

    Lesley: I see too much focus in most “cyber” programs on specific tools and minutiae, as opposed to critical IT fundamentals which are so important to being a good hacker or defender. Also, I see an unfortunate tendency to gravitate towards the cool, theoretical, and “sexy” as opposed to less exciting but more relevant skills. For instance, my ongoing gag gripe is about every Forensics major I meet doing their thesis on steganography, which is relatively rarely seen in real practice. The same people often aren’t comfortable with memory forensics or timelining. There’s a lot of pragmatism in real life infosec. Overall, ensure that the program has plenty of general IT courses that build a good understanding of how systems work, and references real life cases.

    Chris: Our industry is really good at building excitement around topics like breaking and hacking. Unfortunately, those aren’t the skills you learn first and they aren’t the areas where the most jobs exist. Most cyber security programs gravitate towards those areas and skip over the fundamentals. The ones that do see a need for the fundamentals often think those fundamentals are computer science. While computer science is foundational, you don’t need to be an expert in mathematics or embedded systems to be successful in the vast majority of infosec jobs. For these reasons, I have a hard time recommending cyber security degree programs. I’m hopeful this will change at some point when more experienced practitioners find their way to academia, which is happening. Universities needs more instructors who have been in the trenches, but also understand academics and what foundational knowledge is critical for our field.

    Tarah: Only the power of your alma mater’s network matters here. Unless you’re going to UW, CMU, Stanford, MIT, Berkeley, or a similar program known for tech, your best  move is to learn what you love and add tech as tools for you to use. That will be reflected later in your work and career.

    Jessica: I feel like a lot of the “cyber” programs are reminiscent of the MCSE bootcamps from the early 2000’s and other certification mills.  If that is the program you want, then find a quality one.  Otherwise go for another degree.  Cyber programs also need more folks that have been actual practitioners to teach actual skills that will be used.  Having a good foundation, rooted in theory is fine and in some cases needed; however  I see too many candidates now that can memorize the buzzwords and talk very shallowly about a concept but cannot apply it in a meaningful way.  Additionally, critical thinking and analysis skills are sorely lacking.  Those are hard to teach but it’s really hard to be a good Security practitioner (particularly in a role like SOC or DFIR or Red Team) without those skills.


  9. At this time, (or in the near future), do you foresee any potential benefits in the infosec field in going on to get a graduate degree?



    Daniel: Yes, if you’re interested in working in any sort of formal field. Like government, or a big company in a specific department, like data science. Other than that, the bachelors is usually quite sufficient. The other thing a Masters is good for is that it’s somewhat important for senior roles in big companies, or top roles (CISO) at any company, if you think you might want that later on.

    Space Rogue: If you really want to differentiate yourself in the job market then yes, get a graduate degree. But this really depends on your own personal long term goals. If you really want to be a scapegoa^H^H^H CIO/CSO than a graduate degree will be a big help in achieving that.

    Lesley: I can see two situations where this would be desirable. The first is when it is likely to be required for a desired promotion in the future (I do see Master’s Degrees, especially MBAs, preferred for senior leadership positions). The second is when one’s intention is to stay in academia or dedicated advanced research. I rarely see graduate degrees greatly preferred over a Bachelor’s degree in entry-to-intermediate level infosec hiring.

    Chris: If you are thinking about a masters degree then you should have a sense of how much you enjoy your current work and where you want to go with it. For example, if you want to get into business leadership then something like an MBA might be helpful. The thing here is that you shouldn’t just pursue another degree because you feel it’s a requirement to get someone you want to go. Chances are, with persistence you might be able to get there anyway. You should pursue another degree because it will introduce you to new ways of thinking and teach you things that will be more fulfilling to you on a personal or professional level. I pursued a master’s degree in homeland security because I was interested in national defense and public policy. That provided valuable perspective that I apply in multiple areas of my life. The more successful people I’ve seen often pursue master’s degrees in things a bit outside their normal comfort zone. The key is that it should be about learning, not about checking a box.

    Tarah: Hell, yes. It’s definitely put me at the top of lists. And my MS is in political science, don’t forget. It’s just a box to check. Get a law degree or an MA in English–it just doesn’t functionally matter.

    Jessica: some industries are now requiring this in order to be in a management/leadership position.  I would not have gotten my job at Mayo Clinic without my master’s degree, they require it for Director level positions.  I think there is going to continue to be more rigor there. I know my Master’s has opened other doors for me as well.  I do wish I would have gotten a JD or MBA instead of my MSIT.


  10. Anything further you’d like to add on the topic?


    Space Rogue: In the ongoing twitter debate there have been a lot of comments about the cost of college. While a traditional name brand four year school will cost a pretty penny there are ways to get an accredited degree without going into huge debt and spending a fortune. Without going into super detail here are some thing for you to google on your own.  Look at your state school, often much less expensive than a private institution. Don’t forget you can start out at a local community college and transfer the credits later. Also depending on what program you are looking at many schools will offer credit for life experience, if you know who to ask. One of the best ways to get credits for little money is the College Level Examination Program, again depending on your school you can get up to two years worth of credits for $80 per class. Anyway if all you’re looking for is to check a box and get a degree cost is not a valid excuse.

    Tarah: Either the hiring manager wants to bring you aboard or they don’t. If they do, they might need extra ammunition for their choice of you over someone else. Make it easy on them by sticking every letter you can behind your name (on LinkedIn, not in your Twitter bio). I want to emphasize one last time: degrees and certifications are the big leveler in diversity. I have a growing body of anecdata that is burnishing my now gold-plated theory that women, POC, and queer people benefit disproportionately from getting degrees and certs. That typically manifests itself as a drastic uptick in recruiter approaches at each career level when you update your LinkedIn in a way that doesn’t seem to happen for people who stereotypically look like the media’s conception of hackers. If the hiring manager doesn’t want to hire you (based mostly on the first fifteen seconds of your impression on them) no degree will help you. But chocolate and career coaching might.  🙂

    Jessica:  College is expensive in the US, and the cost is only going to continue to increase.  It will open more doors than would otherwise be opened.  Think of it as future proofing.  I’ve always known I want to be in leadership, but I have colleagues that came to that conclusion later in their careers and are now going school to check the boxes.  Set yourself up for success and an easier path now.  I think as our profession matures it is only going to become a more steadfast requirement, like many professions there are some minimum requirements and I see ours continuing in that direction.  We’ve moved past the infancy of the infosec profession; along with that comes a threshold, which often times and more in the future, means a degree.

    Chris: Most knowledge-based professions have a really well prescribed paths for getting into the field and finding success. If you want to get into medicine, accounting, or law you know exactly what you need to do. Our field couldn’t be farther from that — there is no single path. The beauty of that is you don’t have to go to college. However, like those other professions, you do have to learn how to think. Being aware of how you think and effectively applying that (aka metacognition) is the most critical part of gaining expertise and ensuring you are capable of learning effectively. The beauty of college is that it is the perfect environment for your metacognitive ability to flourish…if you let it. If you view college as an opportunity to do this and seize it you will benefit tremendously. If you view it as merely a checkbox to get a piece of paper, you’ll be disappointed in how far that paper gets you.

    Daniel: Credentials have the value that others place on them. Understand that and you’ll understand a lot about degrees. Make a clear distinction between the education and the credential, and realize that while you can self-educate you can’t self-credential. Understand that you’ll find a full spectrum of respect for degrees in various populations, countries, verticals, sectors, etc. Some will not even notice if you have a degree or not, and others won’t take you seriously unless you do. That being the case, it’s always better to have it than not, so the question is really about what you’re sacrificing to get it, and whether or not that’s worth it.

What’s in my (Hacking Con) bag?

A number of people have asked about what I carry at a typical hacking con. In the blog below, I provide a brief overview. This article isn’t meant to be an endorsement and was in no way sponsored. Use what works for you, but I have included links for things when I can remember where I got them.

First, let me show you my bag, itself:

IMG_0017

My bag is a Grunt Style tactical messenger bag. I like it because of the small form factor, it has lots of interior and external pockets, and has a variety of attachment points – carabiners, molle, ties, and velcro. It also happens to be configured for CCW, if that’s your cup of tea.

I’ve used various styles of backpacks, but I found myself with a tired back by the end of the day and I prefer the security of a cross body I can keep an eye on. This one fits my 13″ MBP in a clamshell. I believe that’ s the biggest notebook one could fit in it (but I highly advise against carrying a 15 pound desktop replacement to a con, if you must carry a laptop at all).

There are lots of vendors that carry similar bags, and each manufacturer has dogmatic followers who will regale you with the merits of their choice. Try them out and see what works for your computer and body.

Now to the important part – the contents of my bag:

The “Must Haves”

Item Purpose
Printed Ticket Because your phone will die or not scan at a really inopportune time.
Phone & Fob-Sized Faraday Bag An alternative option is carrying a burner phone, but for the most part I see people with their personal or work phones at cons. Sometimes you’re in a situation where you want to stop transmitting everything, that minute. Usually it’s because an antenna is pointed at you and somebody is grinning. It’s a cheap and important thing to have.
Wallet with ID, and Adequate Cash
The RFID wallet fad is pretty irrelevant. Just avoid bringing credit cards if possible, and don’t bring a debit card within several miles of the con. Cash whenever possible, and don’t use an ATM once you’re there!
Phone and Charger Self-explanatory.
Earplugs Because con parties, shared lodging, and airplanes can be too loud for the most die-hard rocker.
Wet Wipes or Hand Sanitizer Con plague is real.
Insulated Water Bottle It’s really important to stay hydrated at *any* big event. Alcohol, coffee, and energy drinks don’t count – bring a refillable bottle to drink lots of water, and have some juice with vitamin C daily. There are two types of bottles I like for cons – insulated bottles that keep water cool or coffee warm, and filtered bottles when the water there is less palatable.
Pens, Pencils, Sharpie Self-explanatory.
SyncStop A must-have if you would even consider charging a device off any USB port that does not belong to you.
Power Bank Outlets are in high demand.
Mini First Aid Kit & Prescriptions I have rarely gotten through a con without myself or a friend needing an OTC painkiller or a band-aid. I would recommend having those, at a minimum.
Mini Toiletry Bag On your person, for long days – not the one in your hotel room. I “militantly encourage” deodorant, and recommend a disposable toothbrush, as well as contact lens stuff and hair ties (as applicable).

The “Nice To Haves”

Item Purpose
Business Card Case Not only will you want to give out cards, but you will likely be handed cards you do not want to lose.
Bag of Holding‘ (with cables, adapters, dongles, USB drives, assorted antennae) Lots of vendors make cable organizers for travel that have spots for cables and USB devices. In mine, I carry video adapters for my laptop, presentation remote, charging cables, wifi and bluetooth antennas, hacktools, and USB drives. It really beats them tangled about in the bottom of the bag.
Properly-Imaged Laptop If you decide to bring a laptop, do not bring one with personal or work data on it. Swap the drive, or reimage. It is very possible you do not need a laptop.
Multi-Tool Don’t leave home without one. (Except through airport security.)
Pelican 1010 With Essential Lockpicks I have bigger Pelican cases with my practice locks and full set of physical intrusion tools that I can pack in my suitcase. On my person, I carry a few favorites to use in Lockpick Village, lobby con, or at vendor challenges. Mine are pretty assorted (see the image above), but Toool sells a good beginner set. Check out Deviant’s blog and Red Team Tools regarding other useful locksport tools (which he can properly name much better than I).
Warcollar DopeScope  For CTFs, challenges, and just finding weird stuff wireless stuff around the con to impress drunk people.
Hak5 Rubber Ducky  Too small not to, and can come in handy in  assorted challenge land. (No, I don’t have a Bash Bunny, yet.)
Small Screwdriver  I almost put this in the “must have” list. You should never travel with electronics without an appropriate screwdriver. Most multitools don’t have a tiny one, either.
Snacks Always a good idea to throw a few granola or protein bars in your bag. Schedules can get packed, and lines at local eateries and coffee shops can get very long.
Sweatshirt Conference rooms get miserably cold.
RTFM The pen testing book you are most likely to loudly scoff at now and sing praises of when Google isn’t available and man isn’t relevant.

I hope you found this list and explanation helpful.

Ask Lesley InfoSec Advice Column: 2017-04-26

I was sent some very challenging scenarios this week, from entry level remote work to anonymity. As always, submit your problems here!


 

Hi Lesley,

I’ll add a little background before my question I’ve always wanted to break into the infosec industry as I love tinkering and figuring out how things work. I managed to get my first IT job on a helpdesk, which has taught me loads, and continues to everyday, however I’m not content with sticking to support. I’ve been very lucky in being accepted onto the Cisco CCNA CyberOps scholarship. My question is, do the course objectives look to be industry relevant?

First exam objectives – https://learningnetwork.cisco.com/community/certifications/ccna-cyber-ops/secfnd/exam-topics
Second exam objectives – https://learningnetwork.cisco.com/community/certifications/ccna-cyber-ops/secops/exam-topics

I’m going to sit the course and try pass it regardless, I’m just interested on how it is viewed by an infosec professional

– A keen n00b 🙂

Hi Keen,

Congratulations on your scholarship. The CCNA SECOPS and SECFND objectives are good, and cover many fundamentals every security professional should be able to describe and define at a minimum. Think of the program as your ten thousand foot view of many different niches and professions in security. Use the opportunity to pick out things that interest you personally, and dig into a couple farther. This might be indicative of the field you want to eventually work towards. Conversely, if you find at that high level you’re weak in any specific areas,  then it’s definitely a sign you need to study up on that subject.


Dear Lesley,

I’m a programmer, last year I quit my job and started to study infosec and systems programming at home, around December I reached the conclusion that I wouldn’t be able to turn this hobby into anything profitable (“pay-the-rent” profitable, not Zuckerberg profitable). I don’t live in the US, UK or any other major country, so these positions just don’t exist locally, information security is a non issue here.

The only way out of this that i could see are bug bounties, but even then, bounties don’t seem like a reliable source of income, surely i could make some good money in some months, but i can’t pay the rent only “in some months”, you know?

So that’s my question, how would you go about making infosec your main source of income if you can’t work for local companies nor relocate?

-Nasher Alagondar

Hi Nasher,

It’s really commendable that you want to get into security despite there not being much of a field, community, or market where you live.

You’re in a tough situation. If you were able to move I would definitely recommend going abroad with an internship or entry level position to get your foot in the door for a while before working remotely. The independent bug bounty market is a tough one, and it’s a mess of very skilled to totally unskilled people trying to make a living. Lots of companies don’t pay out bounties, and some even pursue legal action against people who submit them. If you could build up credibility with a dedicated bounty firm like Bugcrowd, that would probably be the best case scenario, but it’s still a cutthroat industry filled with many people in similar situations to you. If you go this route, you will really need to rise to the top in responsiveness and skill to be successful.

There are some remote low-level blue team cybersecurity jobs, particularly at big managed security providers. Their nationality requirements are going to vary, and it’s very likely they will require you go to their office for a period of time for training. Perhaps some commenters on my blog have specific suggestions of firms. This seems the most ideal option for stable work.

A third option is making it a issue in your area. Cybersecurity is in the news more and more lately, and malware like ransomware really has an visible impact on even very small businesses. I’m not sure where you live, but if there are businesses, hospitals, or schools that use computers, you can probably sell them general IT service consulting with a side of basic security configuration and response. That’s going to take a lot of initiative and entrepreneurship on your part, and requires enough of a market to make a living.

Either way, please reach out digitally and do all the networking you can with other security professionals. It can’t hurt to have friends who can hire!


Dear Lesley,

I’ve been in IT for over 10 years, with a focus on security the last 4. I want to continue in the security field and am really interested on the defensive side of things.

The problem I have is that most certifications, books and resources online seem to be aimed at Red Team folks. I know the best way to defend against attacks is to learn how the attackers work, so I do see the value in learning things like pen-testing etc. My question is what else can I do to strengthen my Blue Team skills and also grow my career?

Thanks!

– I Want to Be Blue Like A Smurf

Hi Smurf,

Yes, red team skills are directly translatable to the blue team, as are general systems administration skills. There are plenty of defensive courses and certifications, but they are not as broad as red team certs like OSCP or CEH.

  • For instance, if you’re interested in reversing, you should be looking at books like Practical Malware Analysis, conferences like REcon, courses like SANS 610 or Applied Reverse Engineering with IDA Pro, and certs like GREM.
  • If you’re interested in forensics, you should be looking at books by Harlan Carvey and Brian Carrier, courses like those from Volatility Labs or SANS 408, 508, 526, and certifications like EnCE, GCFA, GCFE.

And so on and so forth. There are many defensive niches and they each have specific training, tools, and certifications. The broadest defensive certifications are Security+ and CISSP, and those are pretty high level for a reason. With your years of experience, I would suggest specializing a bit.


Dear Lesley,

In today’s world guarding our personal information has become more important than ever and maintaining our privacy has become more difficult and exhausting whether we like it or not. My first question is what do you think we can do to protect our privacy while we looking for a job or socializing with other people …etc… and second do you thing it’s worth creating a pseudo-name (pseudo-identity) and give it to the people we meet inside and outside of our field instead of your real name as a layer of privacy and maybe protection?. Thank you for your time.

– cautious paranoid

Hi Paranoid,

I can’t tell you whether it’s better for you personally to use a real name or a pseudonym online. This requires a series of judgement calls you have to make yourself, and you will have to weigh costs and benefits. I can tell you that I use my real name because the exposure I get is tremendously beneficial to my credibility and ability to speak and train people. This comes at a cost. I have friends who use pseudonyms which can be traced back to them with effort, and others who have decided to be as anonymous as possible so they can discuss subject matter their employers disapprove of. If you use your real name, you should carefully craft your online persona and avoid posting offensive or sensitive personal information. If you use a pseudonym, you must be cognizant that it could be traced back to you tomorrow, or in ten years.

Unfortunately, this is one of those situations where you must weigh convenience and ability to function in society versus personal privacy, and try to maintain a balance between the two that works for your individual situation.


Dear Lesley,

First of all, thank you for this question series and for the Infosec Megamix. It really helps self-doubting me to get back on my feet and continue their path in the infosec world. Now, I recently obtained an infosec certification and it turned out to be an eye-opening experience which played well along my broad-and-shallow approach to learning. But ultimately I want to specialize in some sphere and my interests are (in no particular order) threat intelligence, forensics and research/exploit development. Which are the topics I should get familiar with that are essential to all these spheres? (or maybe 2 out of 3?) I’m currently picking up some low-level knowledge (reversing, OS insides etc.) and there are so much to be learned, so some guidance will be very helpful. Thanks again and keep the good work!

– The Inkmaster

Hi Inkmaster,

Congrats on your hard work and certification. I’m really glad it inspired you.

The three areas you mentioned are pretty functionally disparate. The two you are most likely to see overlap in a role are forensics and threat intel, but that’s not super common.

Threat Intel requires a lot of soft skills, OSINT research, and geopolitical understanding. Forensics requires a lot disk, memory, and operating system knowledge. Exploit research is entirely a different can of reverse engineering worms on the red team side of things. However, I like your question because it brings up a point I rail on a lot – system and network fundamentals are critical for every red team or blue team person.

Off the top of my head, some things that will overlap between those fields:

  • OS architecture, system function, and file systems – Forensics and Exploit Research
  • TCP/IP, ports and protocols, and internet architecture – All Three
  • Scripting with Python – All Three
  • Exploit methodology and the ‘kill chain’ – All Three

Dear Lesley,

I would like to know when performing various things over the internet like hacking/scanning someone’s network and other stuff that can alert the authorities, how can I perform those tasks without them knowing who I really am(like my IP and stuff and most uses proxies but i have a gut feeling it’s not only that) ? I would like to know how professionals cover themselves up over the Internet of course 🙂

-QuesT-Ion

Hi QuesT-Ion,

First, the caveat – I don’t recommend or condone illegal hacking and you should only exploit systems that belong to you or you have clear written permission to test.

No, it’s not only about proxies. Sure, many a hacker has screwed up and forgotten to tunnel one piece of traffic, and many an ISP and VPN provider has been successfully subpoenaed, but IPs alone are not the end-all way to catch a hacker. Not only can attackers use proxies, but they can also use another compromised system as an attack platform, so the whole fields of DFIR and Threat Intelligence are pretty much dedicated to associated detective work.

There are lots of hard and soft indicators that can give away the nationality, location, or even identity of a hacker. Hard indicators include solid evidence like IP, MAC, system fingerprinting, metadata on files that shows a creator or source device, or geolocation data. Many an attacker has screwed up and left an internal hostname, handle, or local SSID behind in commands or code. Soft indicators, when put together, can also paint a great picture of an attacker. They are things like the time zone the attacker worked in, the language their tools and keyboard were set to, the specific malware variants or tools they selected to use, when they took breaks or made errors, and their methodology.

Of course, many an attacker has just been caught by much more embarrassing means, like bragging about their attack without enough caution, or getting caught in a sting operation.

Real life attackers try to eliminate all of those mistakes and soft and hard indicators, but as threat intelligence reports will show, that’s very hard to do completely.

Ask Lesley InfoSec Advice Column: 2017-02-26

This week, we discuss red team and blue team self-study, getting kids interested in security, and security paranoia. As always, submit your problems here!


Dear Lesley,
I am a threat intelligence analyst who is currently underutilized in my current job, and feel like my skills and tradecraft are slipping because of it. I’m wanting to give myself some fun projects to work on in my off-time but am not really sure where to start. What types of things would you recommend?
-M

Dear M,
You’re certainly in a great field to want work in, in 2017. Not only do you have the whole pantheon of nation state actors conducting cyber operations to study, but you have a huge range of commodity malware, botnets, insider threats, malware authors, and dark web markets to study.  If you’re not feeling inspired by anything in that list, perhaps reach out on Intel sharing lists or social media to see if an existing project could use your skill set? Lots of folks are doing non-profit threat research work and need extra hands.


Dear Lesley,
If you do not have the budget to send people to SANS or to conferences, what free supplement resources would provide fundamental training for someone studying DFIR?  
-Curriculum Writer

Dear Curriculum Writer,
I can totally appreciate not being able to send somebody to a thousand dollar (or more) commercial conference or training program. However, most BSides conferences are free (or under 20 dollars). I suppose if you are totally geographically isolated and there is no BSides in any city in driving distance, those may be impossible, but I would definitely explore the conference scene in detail before writing them off. Sending somebody to a BSides or a regional conference for the cost of gas and a few bucks provides a lot of value for the money.

Otherwise, a DFIR lab will be your best friend for self study. Unfortunately, I can’t guarantee a home lab will be totally free to implement. Let’s talk about some fundamental requirements:

– One or more test hosts running assorted operating systems.
– An examiner system running Linux
– An examiner system running Windows (recommended)
– Intermediate networking
– Free (or free non-corporate) forensics and malware analysis tools.
– A disk forensics suite
– A memory forensics suite
– A write blocker, associated cables, and drives.

An ideal comprehensive DFIR lab, where money is no object, might look something like:

– A host PC with 16GB (or more) RAM.
– VMWare Workstation
– Ubuntu (free), Windows 7, 10, and Server 2008 VMs
– A SANS Sift Kit examiner VM (free)
– A REMnux Kit examiner VM (free)
– A Cuckoo Sandbox VM (free)
– A Server 2k8 examiner VM
– An EnCase or FTK forensics suite license
– A write blocker, associated cables, and a number of hard drives.

But, we can do it more cheaply, sacrificing convenience. We can virtualize with VirtualBox (losing the ability to take non-linear, branching snapshots), or on bare metal machines we scrounge from auctions or second hand stores (the least optimal solution). This can work, but every time we infect or corrupt a machine, we’ll have to spend time restoring the computers to the correct condition. We can stick with analyzing Windows versions that are out of support, but we won’t be totally up to date.

One of the most difficult things for people studying the “DF” side of DFIR is the inability to get expensive licenses for industry-standard corporate forensics suites. There’s really no great solution for this. There are limited demo versions of this software that come with some forensics textbooks. SANS Sift Kit does include The Sleuth Kit, an open source suite which performs some similar functions.

Physical forensic toolkits aren’t cheap, but aren’t in the same ludicrous territory as forensics software. You can pick up an older used Tableau forensic bridge for about 150 dollars on eBay. Perhaps if you network within your local security meetup, somebody will be able to lend you one, as many college and training courses provide them.

Once we have something resembling a lab, we can follow along with tutorials on SecurityTube and on blogs, in forensics and malware reversing textbooks, in open courseware, and exploring on our own.


Dear Lesley,
I have a daughter that I would like to encourage her to go into IT and possibly security if she’s interested. I know your father was influential to you getting into security. Do you have any suggestions to me as a dad on things I can do to encourage my daughter to become interested in IT and security?
-Crypto Dad

Hi Crypto Dad,

Yep, both of my parents had a big influence on my career! A hard question to answer, but an important aspect was not pushing me hard towards or away from hobbies. I was treated like a small adult and provided the opportunity to follow along with whatever my dad was doing in his shop, and even at a very young age he answered my questions without patronizing me or getting frustrated. He didn’t dumb things down; he just started at the beginning. I always had access to stuff to learn how it worked and how it was made. By the time I found out I ‘wasn’t supposed to’ know or like things , I already knew and liked them.


Dear Lesley,
I’m a penetration tester who seems to be falling behind with the times. My methods aren’t efficient. Recently I discovered there are better ways of doing things than my three year old SANS curriculum taught me. How can I stay current without becoming a lonely crazy old cat lady?
-Just a crazy cat lady

Hi Crazy Cat Lady,
You’re ahead of many folks by realizing there’s a problem. I see a lot of infosec people let their skills stagnate for many years after training or college, and our field changes really fast. No quick fix, but here are some suggestions:

– Participate in CTFs. Ignore the scoreboard and the dudebros and “rock stars”. Just compete against yourself, but do it genuinely and learn from your mistakes.
– Jump over to the blue team side for a bit and read some really thorough incident and threat reports from the past couple years. Sometimes seeing what other people are doing will give you interesting ideas of avenues to research.
– If you’re still reaching for Kali, escape its clutches. Kali is an amazing VM, but it will only take you so far and lacks some newer tools. It can also discourage thinking “out of the box” about how to compromise a network. After all, it is a box.
– Get out to cons to watch red team talks. Watch recent ones on YouTube, too. See what other folks are up to. Your cats will be okay for a couple days, and you’ll make new friends.
– PowerShell Empire. 💖💖💖
– Don’t be embarrassed to make mistakes and ask questions.
– Don’t be embarrassed to make mistakes and ask questions.
– Don’t be embarrassed to make mistakes and ask questions.


Dear Lesley,
How do you deal with any overbearing paranoia being in InfoSec? Example: I want my home network to be as secure if not more than my work network… How can I explain my paranoia regarding outside threats (however unlikely), and to cope with it 🙂
-Too Paranoid to enter my name

Hi Paranoid,

Fear is healthy in small doses. Fear keeps us alert to potential threats, and helps us survive dangerous situations. However, constant fear is not helpful and is patently unhealthy. If you see illusory threats in every dark corner, you won’t notice when a real one is there, and you’ll be too tired to respond properly to it.

You need approach this as analytically as you can. Let’s talk about measuring real risk.

– Evaluate your assets. What would somebody genuinely target you for? This isn’t necessarily items or information, but could also include your job position or connections.
– Evaluate real threats to you. Who rationally has motive to “get you”, and do they have the means and the opportunity to?
– Evaluate your vulnerability. How could somebody attack you or your assets, and how much effort and resource would it take to do it? How well do you mitigate vulnerabilities? Are you a harder target than others facing similar threats?

Risk is a direct result of the level of threat against you and your assets, and your vulnerabilities. It’s impossible to change the level of threat. All one can do to change risk is change assets, or change vulnerabilities.

People make personal decisions about acceptable risk. A firefighter lives with a different level of risk than a librarian. The firefighter likely has to deal with occasional moments of quite rational fear and adrenaline (due to actual threats and vulnerability), but does not live in constant fear of burning buildings. The librarian might consider running into burning buildings an unacceptable level of risk, which is why he found a less risky profession. However, both people live comfortable with their overall risk and their mitigations, and not in irrational fear.

With all this in mind, consider the things that you’re paranoid about carefully. What is the real level of risk each poses? What level of real risk will you choose to accept on a daily basis? If your overall level of risk is actually too high to cope with on a daily basis, reduce your targeted assets, or reduce your vulnerabilities. If you find your level of risk acceptable, then maintain that level rationally and try not to be unduly afraid. You likely have more to fear from chronic health problems than nameless threats.

Is Digital Privacy a Privilege Of The Wealthy?

It’s a chilly spring morning in 1987, and things aren’t going so well for you. The threats and stalking weren’t your fault, but you’re genuinely afraid for your safety and the police couldn’t help much. After thinking long and hard, you’ve decided your best option is to disappear and start over. You pack your family’s belongings into your Fiero, empty your bank accounts (a couple grand in cash), close out your accounts without forwarding, and hit the road. You’re sick to your stomach scared to leave, but you’re also relatively confident – you can find cash work and lodging pretty much anywhere, (under an assumed name with counterfeit papers, if necessary). Go far enough and keep your head down, and it’s not likely he’ll find you again without a good PI or a string of bad luck.

★ ★ ★

It’s 30 years later, and the business of fleeing an abuser has changed dramatically. Many elements of our world are still familiar, but the nature of personal privacy has changed dramatically. The internet, mobile phones, and social media brought the world closer, often in incredible and inspiring ways, but also in ways that fundamentally harm our ability to keep any element of our daily activity private or secure. The field of network security has grown from an afterthought to a standard college degree program and a major element of global military forces. News coverage shows us terrifying ways our personal data and digital devices can be abused, constantly bombarding us with reminders to restrict access to our data and internet presence.

Yet, the “common sense” security and privacy advice we offer frequently carries costs. Security experts can tweet about an Android version being obsolete and horrifically vulnerable to snooping a thousand times, but billions of people in the world simply can’t go out and buy a good quality new phone. There are wonderful commercial identity monitoring and digital privacy services available, for a yearly fee that might cut into many people’s medication budget. Even finding quality security education has tangible and intangible costs.

Whenever I tackle an extremely complex and contentious security topic, I endeavor to offer a variety of differing expert views to readers. Through a series of eight scenarios, I’ve invited seven security and digital privacy professionals to join me weighing in on the fundamental question of how much of a privilege digital privacy, and the abilities to “restrict” or  “remove” our digital footprint, really are. The discussion is generally North America-centric  – international privacy laws vary greatly. However, many of our privacy and personal security solutions are not specific to any country. Our general conclusion is that while convenience and absolute anonymity can be a privilege that comes with resources, there are many effective low-cost ways to drastically improve personal digital privacy.

My colleagues, who generously contributed their time and knowledge to this article without compensation or sponsorship, are as follows:

  • Viss / Dan Tentler – Founder of Phobos Group. Dark Wizard. Breaker of things. Essentially a static analog for “targeted, skilled espionage for hire”.
  • Munin / Eric Rand – Blue team consultant; amateur blacksmith; consistently paranoid
  • Krypt3ia – Old Crow, DFIR, Threat Intel, Targeter: krypt3ia.com @krypt3ia
  • Lloyd Miller – Managing Director at Delve, a competitive intelligence, research, and policy consulting firm
  • plum / Chris Plummer – Former IBM, DoD, now staff at exeter.edu. Oxford commas at 603security.com, chasing120.com, and @chrisplummer.
  • CiPHPerCoder / Scott Arciszewski – CDO at Paragon Initiative Enterprises, writes and breaks cryptography code. https://paragonie.com/blog/author/scott-arciszewski – @CiPHPerCoder on Twitter
  • evacide / Eva Galperin – Director of Cybersecurity at the Electronic Frontier Foundation.

 


Question 1: Mobile Device Privacy

Smartphones are woefully vulnerable to compromise and surveillance by numerous sources, from advertisers, to criminals, to suspicious spouses, to nation state adversaries. As our “second brain”, they contain massive amounts of our sensitive information, such as where we’ve been, our contacts, and our account logins. The common security boffin recommendation is to always own an up to date phone (often specifically an iPhone), replacing it whenever it becomes obsolete. Good quality phones aren’t cheap, but smartphones are frequently a necessary part of modern life. What are your privacy and security suggestions to somebody who can’t afford a new iPhone every few years, but needs a smartphone for work or school?

Munin – Limit your threat surface. Only install those apps that are essential for what you need, and avoid random web browsing on it. Don’t open attachments on it – set your email client to text only. Apply updates if they’re available for your platform. Don’t root or jailbreak it – yes, it lets you do a bunch of cool things, but it also opens up significant maintenance problems.

Lesley – Even if you can’t afford a new phone, please routinely check the version of Android or iOS you’re using. Once the phone is out of date and no longer receiving updates, reset it to factory and treat it as cautiously as you would a public computer. No matter the age of your phone, avoid installing any apps with too many permissions, including access to your microphone, GPS, camera, contacts, or phone identification. Keep location services turned off.

On another note, while the ubiquitous iPhone has pretty good security “out of the box”, there are also very good arguments for using an up-to-date Android phone from which the battery can be physically removed, if privacy is a big concern. There are few things more reliable than physically breaking a circuit.

Viss – There are carrier free phones that you can buy that cost half of what carrier phones do. A OnePlus2 will cost you around $300, and they get software updates several times a year. You can also get a Google Nexus or Google Pixel. All of these non-carrier phones get software updates way way more often than any phone that a carrier will try to sell you. That alone is a pretty huge improvement, even before taking personal measures to secure a mobile device. Also, a OnePlus, Nexus or Pixel will likely last years, and remove the need to buy a new phone every 12 months.

Lloyd – I don’t think good security comes cheap with phones, but Munin gives the best advice – if nothing else, only do the bare minimum necessary to accomplish what you need to do, and cut out the rest.

plumIn theory, devices purely for work or school should not be all that demanding in terms of features, so they should be remotely affordable. The carrier market is white hot right now.  Chances are, there’s at least one in your region with a pretty compelling deal on a handset. This is difficult because for short money you’re into a new phone that you may not necessarily understand how to secure.  To that end, don’t go out on an island – buy something your friends and family are familiar with, so they can help you.  While many are averse to working with salespeople, you may find one that knows quite a bit about keeping your handset locked down. It’s worth the ask; there are really good people out there who know a lot more than simply how to sell you a phone.  You may not get it perfect, but it will be better than out-of-the-box.

Krypt3ia Phones, like much of the technology today we buy and use that could lead to compromise of significant amounts of our data are coming down in price in certain spaces while going up in others. So if you want to have a burn phone (and now you can get smart phones too cheaply) you can try to firewall yourself off by only doing certain things with a burner phone. I guess the thing is that generally here any phone at any time could be that device that leads to your data being open to attack.

It may also be of use to have a phone that has less functionality like a flip phone to carry out some tasks as the lesser the technology level the less the adversary has to work with as attack surfaces go. The reality however is no matter what you do you are subject to technologies that you do not have control over completely. As an example, I recently gave up a phone that I liked quite a bit because the provider did not update the operating system for security patches and had not done so in over a year. They just don’t really care, so I had to move on to a system that I could push the updates on. Still though, if you are relying on technology to protect you and YOU aren’t in control of every aspect of that, and are competent at it, it is a null sum game. Best I can advise you is to compartmentalize as much as you can. Use code words for things (i.e. appointments in calendars, names in phone books, etc) to obfuscate and make it that much harder for the adversary to get a toe hold.

CiPHPerCoderNon-carrier phones like One Plus are a good idea, as Viss said, but one important obstacle is how purchasing is structured. If you get a carrier phone, you probably aren’t dropping $800 right then and there; instead, they roll the cost of the device into your monthly payments. If you get a non-carrier phone, you have to purchase it yourself. I believe it’s worth it to find a way to overcome this obstacle (so that you won’t be left vulnerable when an Android vulnerability surfaces if your carrier is negligent) but this comes down to a cost-benefit decision.

A related concern for most people is data privacy. For example, using a secure, private messaging app like Signal or WhatsApp instead of an insecure choice (Telegram, unencrypted SMS) to communicate with your friends is a great move. Encrypting your phone with a passphrase (to be clear: not a PIN code, swipe pattern, or fingerprint; you want a passphrase) prevents anyone (for example, at the airport) from accessing your private data while it’s powered off. I recommend a longer passphrase (e.g. 20 lowercase letters, generated randomly) instead of mixing different character classes, to minimize frustration and typos.

evacide – (most of the useful technical advice has already been given, so I am going on a bit on a tangent here) Phones are one of the most clear-cut examples of money buying security, but when you’re making digital security/privacy decisions, always keep in mind the attacker in mind. Your most up-to-date iPhone will not help you if you’ve been coerced into giving your password to your abusive partner or that partner has installed an app (covertly or otherwise)  on your phone that allows them to spy on you. For these cases, it may be appropriate to covertly purchase a cheap second burner phone, which may not be as secure against hackers, but which may allow you to covertly communicate without alerting your abuser.

Question 2: You, on the Internet

Companies like FamilyTreeNow and Intelius collect data about every US citizen they can; even ones who don’t regularly use a computer. This data often includes addresses, phone numbers, social media profiles, criminal history, as well as family member names and birthdates. Obviously, this data can be very damaging when used inappropriately, and generates global privacy and security concerns far beyond simply being in a local phone book. Removing this data from hundreds of these companies is a huge undertaking, but commercial subscription services that do it reliably aren’t cheap. What’s the best option on a tight budget?

Viss https://www.abine.com/deleteme/landing.php – spend $129.

Munin – Do what you can to minimize the harm – that’s the name of the game here. If you can’t afford a good service, do what you can by yourself. It won’t be perfect, but reducing the threat surface to a minimum will help. Remember, you don’t always have to outrun the bear – you can last a lot longer if you can outrun the other campers.

Lloyd – I don’t believe takedown notices are an effective strategy in the whack-a-mole world of personal data aggregation. You can send them, but the sites can ignore them. Additionally, a lot of that information including birth, property, voter registration, and criminal/legal records are government-generated and legally protected public records. There are several very reputable services, including Intelius (get it?), you can pay to do help remove some of this information, but I would ensure they offer guarantees and other identity/credit protection services.

Lesley – Third party privacy services are out of many people’s’ price range, but certainly the most effective solution for everyday privacy concerns short of a new identity. Privacy is also a constant battle – you need to look at a subscription service more than a one-time removal. If you absolutely can’t afford one, you can opt-out of many services for free, but it’s a time consuming and convoluted process. As a last resort, at least remove your data from the top 20-25 services to try to delay and frustrate people trying to research you. Don’t make a harasser’s life easy.

plumTwo years ago I discovered a downloadable database of voter registration data that included DOB from eight US states, and it had already been online for several years and mirrored in Europe. For the individuals in these states, through no fault of their own, their identities are permanently at risk.  In truth we’re talking about mitigation, not prevention. Anyone’s best hope is an annual ID theft monitoring service. Some employers actually offer these free of charge.  Tight budget? You’re left to pull a free credit report once a year and hope you catch something. The system is pretty broken here.

Krypt3ia The ONLY way to avoid this is to not be you any more. So, you fake your own death after getting decent documentation with another name. Get credit set up for that person, a whole “new suit” as they say and then live that life and never talk to anyone from your past.

But oh wait… Now you have a new name and series of datapoints to worry about!

Best bet, go live off the grid in the woods or become homeless.

Another null sum game.

CiPHPerCoderI’ve got personal experience with the downside of these services. When I was a teenager, my mother’s hobby (which consumed most of her waking hours when not working) was genealogy research through websites like Ancestry.com. It’s kind of funny in that, as I taught myself more about computer security and online privacy, she was unwittingly working hard to ensure that I would never have privacy online. Many years ago (either 2009 or 2010), an Internet troll had used this publicly available data to send me harassing emails, demanding that I take my blog offline forever.

Despite that experience, I don’t have a solution here.

It’s obviously an extortion racket; using the threat of public exposure to get people to pay up. The alternative to reaching into your wallet is playing whack-a-mole with third parties that mirror your personal information. The first option provides this industry with the incentive and resources to continue harming people’s’ lives. The other maximizes the harm they cause your own life (by wasting time trying to achieve a modicum of the privacy you should, rightfully, already have).

However, like many other areas of security, layered defenses work wonders to fend off attackers. Making a new pseudonym and linking it to a false persona is challenging and requires a ton of discipline to be successful. Even if you can’t protect your personal information, you can prevent malicious parties from connecting your screen name to your real name without drowning in a moral quandary.

Question 3: Traveling Abroad with Digital Devices

Travel is often considered a privilege, but people from all backgrounds do travel internationally. There are firm warnings from security professionals about bringing mobile devices and computers into less friendly countries (especially ones that conduct extensive monitoring and seizure) as they may conduct forensics on them or insert surveillance hardware or software. This adds a layer of risk to somebody who is trying to remain unseen. The blanket advice is usually to bring a separate, disposable computer and phone if they’re required. Computers and phones aren’t cheap. What would you recommend to somebody who needs to travel overseas to a dubious location but doesn’t have a big budget?

Munin – If you’re travelling for business, see about having your company handle the purchase of separate, designated equipment. If you’re there for a conference or just visiting, see if any of your friends in that country [social media’s great for making friends in foreign parts] will be willing to let you borrow equipment while you’re there. Remember that any kind of electronics you bring across a border – especially these days – is probably going to get searched, so avoid the problem if possible. Also, take some time ahead of time to set up a benign social media profile – put some noncontroversial or patriotic looking activity on it, and lock down or suspend your real accounts before you travel. If you end up being forced, coerced, or pressured into giving up online activity, refer to that account as your only account. Part of being safe is looking like you’re not worth harassing – so keep the lowest profile possible.

Viss – Do you HAVE to travel with your phone? Or your laptop? Can you use a chromebook, and just buy a burner phone while you’re in another country? Do you feel that you’re in a position where customs here or there will try to get into your phone? Here’s a fun trick: Select a cloud backup provider (Spideroak, Box, Dropbox, ec2, whoever, doesn’t matter). Make a titanium backup or nandroid backup of your phone. Make sure to use the encryption option. Put your encrypted phone backup into cloud storage before you leave. Format your phone in the air on the plane. If anybody wants to look at your phone, they can see it – there’s nothing on it. Have fun. When you get to your destination, pull down your phone backup and restore it. You may want to remove all your downloads and stored media beforehand. If you take the time to either A) have a dedicated travel phone that you do this to, or B) just occasionally trim your phone storage down you can get this to under a gig.

Lesley Echoing Viss, consider very carefully if you really need the phone, or you just feel irrationally naked without it. Payphones may be rare, but they still exist in most transportation hubs, as do calling cards that work internationally (they are often sold in airports), and paper maps. If there is no way you can function without a phone, there are relatively cheap (<$40) options for unlocked disposable phones such as BLU’s, and SIM cards can usually be purchased a convenience stores when you arrive at your destination. Leave your sensitive personal data, including your fingerprints, off of any burner phone. Use it for travel essentials only. Stick to a “dumb phone” if you can.

Lloyd – For short term use, you can get used smartphones off Craigslist, get a prepaid SIM card, install just the contacts and apps you need for the trip, and then toss it on your way home. And, as everyone else has said, if you don’t need it, don’t bring it.

plum – I would never travel internationally with personal devices. Everyone has done well to discuss the risks, and from a practical perspective the logistics alone of getting a lost device returned to you from across a border – presuming a scenario that involves total honesty and goodwill – we’re talking long odds.

Krypt3ia – A USB stick with TAILS and an internet cafe or other access to a PC. Light footprint or you are in trouble. At this point you are dealing with nation states, and you will not win. INFIL and EXFIL into and out of countries is best done with very little on you. A mini USB (32 gig) can easily be tossed or eaten or destroyed. Not so much any other more expensive and luggable assets. For that matter you can cache them and in some cases secret them in your luggage where the color X-Ray and other schemes of detection can be obfuscated.

CiPHPerCoder – These are all good answers, so the only thing I can really offer is my setup. For domestic travel, I just have an encrypted laptop and encrypted mobile phone. If I’m traveling internationally, however, I’ll do the following:

  1. Rent a throwaway Virtual Private Server (VPS) from one of the providers on LowEndBox.
  2. Configure the VPS so that I can only SSH in via a Tor Hidden Service, using public key authentication (no passwords) with a SSH keypair unique to that server. (Ed25519.)
  3. Encrypt anything I need and store it on the server. (Veracrypt.)
  4. Purchase or repurpose a new laptop with a fresh Windows install for traveling purposes.
  5. Carry a USB or SD card with a Veracrypt-encrypted file containing the SSH private key.

TAILS can be procured on-site, and verified through other channels. I’d leave the phone at home.

Total cost: less than $10 if you already have the hardware on hand.

evacide – If you’re traveling for business, your business should have a policy in place your digital devices and travel. If they don’t already have one, this is the time to encourage them to do so. If you are crossing the US border, I recommend reading the advice EFF has written up as part of Surveillance Self Defense on this subject: https://ssd.eff.org/en/module/things-consider-when-crossing-us-border.  In general, I would make sure my devices are password-protected, encrypted, and turned off when crossing the border. Particularly sensitive information should be removed from the device in advance, encrypted, and stored on a server for (secure! encrypted!) download if you need it when you arrive at your destination.

Question 4: Credit and Identity Theft Monitoring

Identity goes hand in hand with privacy. More Americans have had a credit or debit card stolen in the past couple years than those who have not, and data breaches and identity theft are huge problems. Services that proactively monitor and protect against this come with a monthly or yearly fee. What’s an affordable and effective solution for responsibly keeping an eye on your identity and credit? Are there solutions for people who can’t get a credit card?

Viss – Most credit cards these days come with alerting capabilities that will tell you if a charge comes through past a certain amount. Turn that on and set it to like $50. Anything over $50 and you get a text or an email. INSTANT notification if something sneaky is going on. You can’t do much about it not getting stolen in the first place, for example in the case of Target, the malware was in the cash registers and nobody knew. But you can know immediately if an attacker tries to use your card for evil, and you can call it in right away. Simply do this with every card.

Munin – If at all possible, do -not- use a debit card for anything. Every transaction is a gamble – so gamble with the bank’s money, not your own, and use a credit card if at all possible. An affordable alternative to paid services is to be ‘lucky’ enough to be in a breach – haven’t we all, at this point, received several years’ worth of “credit monitoring” to compensate us for the time and stress of having our identities compromised? More seriously, though, follow Krebs’ advice – lock down your account with the major credit bureaus, and unlock it if you have a specific need for a credit check. It’s not perfect, but it’s affordable and will reduce harm.

Lloyd – Using anonymizing services like Sudo, Blur (Abine), or Privacy.com allow you to make purchases with credit cards you have 100% control over. Therefore, if an online store’s is comprised, you can just delete the card and move on. Lock down your credit reports and do that for any of your children as well – people don’t monitor their children’s credit, making them vulnerable to identity theft as well. You can also get prepaid credit cards using very little information. You should research which features you prefer like ease of reloading, low or no monthly fee versus per-purchase fees, or usability. Generally, Chase and Amex are great introductory options. For international travel, Kaiku offers a prepaid card with no foreign transaction fees, great for short trips abroad. Keep in mind Know Your Customer laws make it very difficult to access to U.S. banking system and stay anonymous from the U.S. government for very long or while handling large transactions.

plumThe OPM breach, the Target breach, the Home Depot breach have really paid off for me; the past few years of free monitoring have been nice.  LastPass actually bundles free credit monitoring, so that is worth exploring when this is done.

And as Munin mentioned, debit cards are cast from pure evil in a mold of good intentions. Never gamble on a retailer’s security posture with real money. Charge everything.  If you don’t have access to credit, use as much cash as possible and be very judicious in your check writing.  Every check you write says “hi, here’s my full name, here’s where I live, and here’s where I keep all of my money; in fact here’s my account number”.  That’s a lot to hand over to a complete stranger.

Krypt3iaMost banks do this now for you at no charge. I would not trust these companies to protect my data anyway. It is just adding to the complex web of your data being out there for others to abuse. Keep an eye on your accounts regularly and make sure your credit card/bank has your current number to call. Don’t waste money.

Lesley – Cash is your friend. Otherwise, a few people have already correctly noted how very risky bank debit cards are for your privacy and money. Unfortunately, many people are financially unable to get credit (or credit that promotes responsible use). There are a few options out there. Prepaid debit cards are one – although they may not have fraud protection, the amount of money which can be stolen from them is limited by the amount of money the purchaser loads them with. They can also lend some anonymity. Another option is a reputable credit card designed for people with low or no credit, designed to theoretically build credit over time. Legitimate options tend to be low limit, from a reputable creditor, with some security deposit required, and should always be designed to be paid off every month in full. Unfortunately this is a security blog, so I recommend you seek some free financial advice.

CiPHPerCoderThe credit bureaus are not your friend. Do not count on them correcting any mistakes on your credit history. Do as Munin and Viss suggested. Normally, the saying goes, “An ounce of prevention is worth a pound of cure,” but in this case prevention is your only recourse: There is no effective cure.

evacide – When you make online purchases, consider not storing your credit card number as part of your account. The same goes for storing your credit card number in your browser. Use 2FA whenever possible to protect your accounts and a password manager to create strong, unique passwords, so that if one account is compromised, the rest of them are still safe.

Question 5: On the People Still Using Windows XP

Tons of people have computers. Some of those computers are so old they are no longer patched or remotely secure.  While operating system vendors have gotten better at forcing security updates in recent versions, security (especially in the era of the cloud) doesn’t necessarily indicate personal privacy. In terms of fundamentals from operating system, to browser, to antivirus, what are your suggestions to somebody who wants to upgrade their computer in a privacy-friendly way, but can’t afford more than a couple hundred dollars?

Viss – Microsoft gives updates to small businesses and students. Linux is free. Running linux is generally fine for people who simply need “a browser so they can Facebook and Gmail”, and that will keep them from the vast majority of exploits, drive by downloads and other attacks that by and large only target Windows. From the perspective of the operating systems, it tends to get a little hairy because they are designed to spy on people at this point. Github has several examples of an “unfuck script” that one can run on a Windows 10 installation to turn off all that telemetry. Once that’s done, I wager a combination of Windows Defender, EMET, and Malwarebytes for ransomware run all together and cranked all the way up should be a pretty good start. It’s surely more than most consumers would do on their own reconnaissance.

Munin – Most folks will be fine with a Chromebook. They’re kind of stuck in the Google ecosystem, which I don’t like, but they get continual patching and have a vastly lowered threat surface. If you’re OK with the whole “webapps for everything” thing – and let’s get real; that’s 90% of everyone’s usage these days anyway – then a Chromebook will likely meet your needs.

Lloyd – Chromebooks sacrifice some measure of privacy to Google in exchange for affordable computing experience. If you are not concerned what Google knows about you, this is a fine option. It is very difficult to keep operating systems up to date long term without regularly upgrading your computer.

plumBasic, cheap ($200-ish), new systems seem easy enough to find. Certainly my best advice here concerns the disposal of old systems, as the general public is almost entirely in the dark when it comes to sanitizing equipment they don’t want anymore.  I say this a lot – the lifecycle of personal computing is so incomplete.  It’s so easy to get a new system, but we never really talk about how to get rid of the old one.  Getting familiar with a utility like DBAN, which for $0 will wipe any trace of your existence from a hard drive, is a great first step.

Krypt3ia Become more savvy about how  your systems work. Keep them patched and try to keep up with the attacks out there. However, for the average normal person out there these things I just said sound like the teacher on Peanuts. Once again, do not trust any operating system unless you have complete control over it and frankly no one out there can do this. It is thus important that you learn some OPSEC lessons. But again, try getting this through to Gramma, it is not that easy. It takes education and not the once a year kind.

CiPHPerCoderIf you’re still on Windows XP, this probably means one of the following:

  1. You lack the capital to purchase a newer computer.
    • In this case, make the switch to Ubuntu or Linux Mint, which are great and user-friendly GNU/Linux operating systems.
    • If you’d like to get familiar before you commit to a new OS, get Virtualbox (it’s free).
  2. You’re a company that needs to use software that doesn’t work on newer versions of Windows.
    • Consider switching to something like Qubes and running your Windows XP-dependent software inside of an isolated virtual machine to minimize the risk of a full system compromise.

Otherwise, you should just upgrade to a newer version of Windows. Laziness is incompatible with security.

Lesley – Part of this comes down to a distinction between privacy from companies, privacy from governments, or privacy from traditional criminals and the average nosy Joe or Jane.

An updated version of Chrome OS or Windows has a professional security team behind it releasing patches and responding to reports of vulnerabilities. This is really important. Of course, those companies rely heavily on cloud computing and telemetry – that’s how they provide the user experience which their customers expect. We’ve been focusing heavily on solutions for people facing criminal / stalker-type privacy concerns. In those situations, Chrome OS is an affordable option (assuming associated Google accounts are well-secured). Up-to-date Windows (while pricier) can be a good choice, too.

If you’re worried about privacy from companies, commercial options probably aren’t a great choice. This is where more user friendly versions of Linux like Mint or Ubuntu may be feasible. Of course, these distributions of Linux are ostensibly free, but that’s somewhat offset by the amount of time required to learn to configure and secure them.

If you’re worried about sophisticated actors, not only should you keep sensitive data off the internet, but you should restrict sensitive work to full disk encrypted systems without any speakers or network, Bluetooth, or wireless adapters physically installed.

Question 6: Private Digital Communications

There are numerous reasons to use encryption, and communicate and browse the internet privately. Abuse and harassment victims, whistleblowers, celebrities, journalists, and even government and military personnel may have to contend with being targets of surveillance, physical threats, or blackmail. Beyond overt risk, we have a fundamental right to privacy from the massive networks of data collection of advertisers and marketing firms that buy and sell our intimate details. While some services like Signal, Tor, and Protonmail are free, trustworthy VPN often isn’t. What are your suggestions for somebody non-technical who wants to communicate and browse with minimal potential for interception, without paying a lot?

Viss – Wire is free. Signal is free. Tor is free. VPNs are not. I run a small VPN service for exactly this reason. It’s IPSEC not SSL. That’s an important distinction, as well as it’s not “an app”. My VPN service uses Cisco hardware, not just “some cloud instances”. Do some homework on any VPN provider you elect to choose and try to steer clear of SSL based VPNs. They usually collect data about you and where you go, so while it may protect you from the skiddies in the coffee shop, it’s not protecting you from the vendor collecting your data for your $5 VPN account. If you’re a bit more technically inclined you could simply use an SSH tunnel. For that same $5 you could spin up a Digital Ocean host and use that as an SSH tunnel endpoint. Or you could stand up your own VPN. If you’re concerned about a private messenger on your phone being an indicator of you doing something shady, then install a bunch of them and use them for silly things. I have a wire room setup for “only gifs, no talking allowed”. There are nearly 40 people in there and nobody says a word, we just post silly gifs. So while it looks like there may be discussions happening to any outside viewers who can’t see the messages, it’s just noise. If you make lots of noise, it’s super easy to get signal through it. You just have to make sure the patterns of signal to noise aren’t super obvious.

Munin – “Use Tor, Use Signal” is the cliche in our world now, but it’s really going to depend on your specific needs. Harassment victims have different threats than whistleblowers, than celebrities, than journalists – there’s no one-size-fits-all solution. Perhaps talk to one of us, or some other trusted source, to figure out what your threat surface is, and work out what tools you have available that can best be used to manage it?

Lloyd – Depending on who you’re concerned about watching you, Signal, Wickr, and WhatsApp are fine for communication. I’m also a big fan of a pen and a piece of paper, and old fashioned face-to-face meetings. And never use a free VPN.

Krypt3ia Use Signal, Use TOR Browser, and understand that everything you do on the net, everything you put out there is a threat to that privacy. For that matter, every device is giving up your private data and giving the companies and governments a portrait of “you” that can be used against you. How would I obfuscate this data? There are some means such as add-ons to FireFox (TrackMeNot and uBlock) You may also want to read Obfuscation: A User’s Guide for Privacy and Protest (MIT Press), which had some good ideas on how to use digital chaff to try and limit the real data these corporations have on us. If you have an adversary though that is directly in opposition, then use encryption (GPG, Protonmail, etc) but always know that the endpoints are always suspect (those you email with and the company serving you the service) so really, own the end point, forget the secrecy.

plumGreat points have already been made.  I’ll add that it is critically important to remember to assess all of your online activity and electronic communication through the lens of litigation. If it exist(s)(ed), it can be subpoenaed.  If this presents an unacceptable operational risk for you, hash things out face-to-face.  If the logistics are not practical, follow Lloyd’s golden rule above: never use a free VPN.  Tor is a go-to. While a little different, I would also keep an eye on Brave.

CiPHPerCoder – The only VPN you can trust is the one you’ve setup and administer. Most users aren’t technical enough to do this, and therefore shouldn’t use VPNs.

That said, there isn’t a winning concoction here that doesn’t require some user education to provide robust security against sophisticated threats.

Tor is great, but only if you understand its limitations. Tor + unencrypted HTTP means the exit node can sniff or alter your traffic.

Signal is great, but only if the person you’re talking with also uses it; otherwise, you’re communicating over unencrypted SMS. (You can turn the SMS fallback off.)

Whatever technology you choose, take 5 minutes to read through the documentation. The better you know your tools, the less likely you’ll make a fatal mistake when using them.

evacide – Before you choose a secure or private communications tool, think about your threat model: are you trying to protect your communications from criminals? From the government or law enforcement? From your parents or your spouse? These are all very different models. How important is it to you that the message should be secure? How important is it that the message actually gets to you in a timely fashion? (I’ve lost track of the number of arguments I’ve gotten into with my friends and family because a Signal message didn’t go through).  Are you OK with giving out your phone number for this communication?  Seriously, and I cannot emphasize this enough, Signal is not always the answer.

Lesley – A lot of differing opinions and options have been provided with regards to this problem – hopefully providing a starting point for consideration and discussion about private communications. I want to stress again that no matter what options you choose, noise is critical. Most of the private communications methods listed above hide the message, not the fact that you’re hiding a message. If you use VPN or encrypted messaging only for sensitive conversations or browsing you’re trying to hide, anybody watching will immediately start to look at that specific communication in more detail. For this reason, one of the first things I check in a computer under forensic investigation is the private / incognito browsing history. It usually contains only activity the user wanted to hide.

Whether want to prevent an angry ex or a multinational criminal organization from intercepting your sensitive communications, make sure they are lost in a sea of everyday benign private traffic. That’s why Tor usage is so highly encouraged by privacy advocates for everyday communication – if only foreign journalists under death threat by rogue dictators used it, their traffic would be easy to spot and target.

Question 7: Authentication

Online accounts are always a target, and passwords are generally easy to guess by casual criminals and advanced actors alike. So, we frequently advise people to enable two-factor authentication on their accounts through an app or (less desirably) SMS. The problem is, not everybody has a smartphone of their own – particularly one that works everywhere reliably. What are your suggestions to somebody who uses online accounts, but doesn’t own their own phone?

Viss get a Google voice number, and set up hangouts to accept SMS messages. DO NOT SHARE THIS NUMBER WITH ANYBODY. You can set up 2FA SMS for everything that uses it, and those texts will hit Google hangouts. You can get them on a desktop/laptop, or through hangouts on your phone. The connection between your phone and Google is cert-pinned SSL, and the ‘secure texts’ will come through over data not SMS. It’s not a silver bullet, but it defeats Stingray attacks and mobile phone “man in the middle” attacks. You can also configure Google voice to either forward those SMS messages to another number, or email them to you, or another email account. There are many options.

Lesley – An alternative option is a physical two-factor security key, a tiny object which is inserted into the USB port of the computer you are using while you log into a wide range of web services. U2F keys are well under 20 dollars, easily purchased from many online retailers, and should theoretically last far longer than many electronic devices. The downsides are that if you lose the key you may be in trouble, it won’t be usable in places which block the use of USB ports, and it could potentially be seized.

Lloyd – U2F keys aren’t a cheaper option than what Viss recommends. I like physical keys but they have weaknesses: your key can be stolen, there is still limited support for physical keys, and they cost money. If you’re someone who forgets things, leaving your key at home or in the wrong bag can cost you a day of work if you aren’t careful.

plumWithout a true “something you have”, 2FA starts down a road of compromise.  Like Viss, I have not completely criminalized the use of SMS, and he presents a creative solution.  Burner phones can serve this purpose well.  For five bucks, a refill card for a thousand text messages could last a while.

CiPHPerCoderThis came up a lot in the discussion of the Guardian’s terribly misleading WhatsApp article. In the real world, a lot of users share phones and swap out SIM cards rapidly. In the WhatsApp case, this makes public keys change rapidly, which could create a UX nightmare for people who have used WhatsApp for years and never even heard of encryption. Many of the 2FA assumptions break down in a shared-device scenario.

If you’re in dire straits here, Viss’ Google Voice number suggestion is probably your best bet. I’ve not heard any other realistic solutions for folks who share phones and don’t own security keys. If 2FA isn’t available, outright, consider making it more of a point to use a password manager (KeePassX, LastPass, 1Password, etc.) than if you had 2FA.

Munin – This particular question’s been giving me problems for a few days now. The long and short of it is that, as far as 2FA is concerned, the users are entirely at the mercy of the vendors as to what nature of 2FA solutions the vendors support – for instance, though I really, -really- want to use a yubikey with twitter, twitter declines to support this option and only allows SMS based second-factor auth.

Unlike the other questions here, this is one in which the user has very little control over whether or not they can effectively follow the advice given.

The ‘correct’ solution would be to only use services from vendors that support proper 2FA – but when those services won’t “do the job” – e.g. all your contacts are on a service that doesn’t do this correctly – you’re inherently limited in what you can do.

So my ultimate advice here would be – if you -can- follow the solutions given above, do so; if you’re not able to, then do the absolute best you can with what you have available. If you don’t have a unique device available for a second factor, it’s best not to push for a compromised second factor over a non-compromised single factor. Control what you can, and look for opportunities to make it better; and pay special attention to those things you cannot control – monitoring is a kind of mitigation.

Question 8: You, in the Real World

We’ve discussed our online lives in detail, but what we do every day in the physical world leaves a huge digital footprint as well. This includes all kinds of activities, like shopping, banking, and our hobbies and work. Let’s think in terms of our introductory example of a victim of stalking and abuse (this time, in 2017). What are feasible actions he or she can take in day-to-day life, with a small budget, to reduce the digital footprint left by his or her activities (while still remaining a part of modern society)?

Viss – Use a combination of personal travel and ridesharing applications or public transit to mask surface travel. Combine using different credit cards with paying in cash. Change travel routes to not consistently use the same path to get to destination. Make random stops (at shops, for coffee, etc, whatever) to make it harder to determine where you are going. Turn off your phone from time to time (yank the battery if you can). Don’t spend a lot of time walking on the street in the open. Travel in a vehicle or on public transit as often as you can. Do not dress to impress. Do not stand out. Plain shoes, jeans, t-shirt. If you want to blend in, then blend in. You can look spectacular later. Pay attention to your surroundings. See if people are pointing cameras at you. Take detours and see if you see the same people over and over again. If you think you are being followed, validate that feeling by taking more detours and seeing if the same people are there. If you are confident you are being followed, let the people following you see you taking their photo or recording them. It helps if you have more than a phone – like a GoPro or a camera of some kind. Usually in that scenario they’ll have no idea WTF to do. The easiest way to not be a victim is to not simply lie down and take it. If you feel you’re being victimized, complaining about it on Facebook or writing a longwinded gif-riddled post on imgur will solve nothing. Get evidence of stalking or abuse. As much as you can. Confront the problem head on. If your abuser is physically abusing you get a restraining order and back that up with video evidence. http://www.wikihow.com/Be-More-Perceptive This is a good start.

TL;DR: everything on the internet leaves some kind of log. Don’t post stuff online then try to remove it. Just don’t post it in the first place. Don’t openly volunteer information for the sake of small talk. If someone asks how your day was, tell them – but don’t feel obligated to explain that it’s going poorly because your car insurance carrier dropped you because you were unable to make your last payment, and that was because trouble at work led to you being fired. That’s a lot to unpack and gives random people WAY WAY MORE INFORMATION than they need to just chat you up. It takes a bit of practice, but you can usually turn those kinds of conversations around onto them, and have them tell you a life story while not saying a word.

Krypt3ia

Physical:

  1. Enhance your situational awareness
  2. Understand where the cameras are and seek places with less of them to do business
  3. Understand where the cameras are and seek to obfuscate their seeing you (hat, glasses, scarf etc and look down, not into them.
  4. Randomize your routine, in fact do not have a routine
  5. Read up and practice counter-surveillance techniques (I can recommend books) but really having real practical experience and mentorship is key

Digital:

  1. Take all of the advice above in this document and use it.
  2. Leave your digital equipment behind or put them in Faraday bags
  3. Understand the precepts of OPSEC with regard to the internet
  4. Be vigilant

plumEndeavor to use more cash.  Every time you use a credit card, you’re generating data about where you are and what you’re doing.

Don’t allow mobile apps to use your location automatically, or at all.  Don’t check in.  The world doesn’t need to know you’re going for a run on your lunch break *right now*.  Tell them later about how you had a great run today, without mentioning where and when.  Small things like this. You’re not hiding your habits, you’re just removing the unnecessary precision in describing them.

Augment your digital protection strategy with self-defense skills.  You may never need to use them, but you’ll feel a hell of a lot more confident.  And when you’re confident, you carry yourself better, you’re more aware of your surroundings, and you turn the tables on being vulnerable.

Lloyd – Privacy and security are practice, and can’t be done alone. Your information, even your home address, is known and stored in devices and on paper by your friends, family, and coworkers. Most “hacks” occur via social engineering, where unsophisticated people are exploited for the information they keep. Educating the people around you should always be a part of any physical security practice.

Lesley – Pseudonyms and fake backgrounds aren’t just for criminals, people on the run, or spies. Sometimes, a little white lie is legal and okay, and even recommended. There are lots of places in your daily life where you can operate outside your real identity without even violating terms of use agreements. Countless examples include the fact that you don’t have to ship or receive packages at your house, you don’t have to provide real answers to your security questions, and you rarely are required to register for incentive or loyalty programs under your real name or address. Consider what information you are providing third parties out of naive, good-hearted honesty, versus what information you are providing out of legally-obligated honesty. Data collection and marketing firms don’t have your interests in mind. Why are you treating them like you have an honest, confidential relationship?

CiPHPerCoderIf you can, turn your phone off and take the battery out when traveling or discussing anything sensitive with your friends or family. Try to practice common sense at all times. Don’t, for example, take needless selfies and then share them publicly on social media if you’re trying to attain better privacy. Simply put: They don’t need to know, so don’t tell them.

Paying with cash has two benefits: It’s not directly linked to your bank account, and it promotes better money management discipline than debit/credit cards (which in turn will allow you to save money toward some of the solutions discussed above that might be out of your budget).

evacideA lot of the advice above means making major changes to the way you live. Think about how much you’re willing to change in order to avoid your stalker/abuser. A lot of victims are trying to balance their desire for privacy and distance from their abuser with a desire to continue living their lives in a normal fashion. Some simple steps such a person can take include using a pseudonym on social media accounts, locking down one’s social media accounts so that content can only be viewed by trusted friends, and making one’s trusted friends aware of the situation so that they can alter you if they are contacted by your stalker/abuser trying to get information out of them.

Munin – The advice above is all good, but ultimately, the real problem is in balancing proper paranoia with the ability to function as a person. This is very difficult.

Balancing the need to stay hidden with the very real psychological dangers of isolation is difficult even for trained professionals – so maintaining such a cover will necessarily cause stress and strain. If you have anyone that you can trust, make sure you can stay in contact with them to keep an even keel. That will help with balance, and help you remember how to use the other advice appropriately.

★ ★ ★

(Additional credit on this article goes to Bill Sempf, who contributed extensive expertise on skiptrace investigative methodology.)

All opinions in this article are that of the individual contributors, and do not necessarily reflect the views of their employers, past, present, or future.

Ask Lesley InfoSec Advice Column: 2017-01-30

Thanks for another wonderful week of submissions to my “Ask Lesley” advice form. Today, we’ll discuss digital forensics methodology, security awareness, career paths, and hostile workplaces.


 

Dear Lesley,

I’m a recent female college graduate that didn’t study computer science but is working in technical support at a software company. The more I learn about infosec, the more curious and interested I get about if this is the field for me. What do you resources/videos/courses/ANYTHING you recommend for people who want to make a serious stab at learning infosec?

– Curious Noob

Dear Curious,

I’m really glad to hear you’re discovering a passion for infosec, because curiosity is really the most fundamental requirement for becoming a good hacker. I wrote a long blog series about information security careers which I hope you may find helpful in discovering niches and planning self-study. For brevity’s sake, here are some options for you.

  • Study up on any fundamental computer science area you’re underexposed to in your current work – that means Windows administration, Linux administration, TCP/IP, or system architecture. You need to have a good base understanding of each.
  • Get involved in your local CitySec, DEF CON local, or 2600 meet up group. They are great networking opportunities and a fabulous place to find a mentor or people to study with. There are meet ups all over the world in surprising places.
  • Consider attending an infosec / hacking conference. The BSides security conference in the nearest major city to you is a great option and should be very affordable (if not free). Attend some talks and see what speaks to you. Consider playing in the CTFs or other security challenges offered there, or at least observing.
  • Security Tube and Irongeek.com are your friends, with massive repositories of conference talk videos you can watch for free. Nearly any security topic that piques your interest has probably been spoken about at some point. I would favor those sites over random YouTube hacking tutorials which really vary in quality (and legality).
  • Consider building your own home lab to practice with basic tools and techniques. Networked VMs are adequate as long as you keep them segregated: Kali Linux and a Windows XP VM are a great place to start. You need to take stuff apart to learn about hacking.

These are only some brief suggestions – there’s no streamlined approach to becoming a great hacker. Get involved, ask questions, and don’t be afraid to break stuff (legally)!



Dear Lesley,

What do you do when you provide security awareness training to your employees, but they still click on phishing links!

– Mr. Phrustrated

Dear Phrustrated,

Beyond generally poor quality “death by PowerPoint” training, one of the biggest problems I see in corporate security awareness programs is poor, unsustainable measures of success. For instance, it’s become really trendy to conduct internal phishing tests to identify how many people click on a phish. It’s incredibly tempting to show off to executives that this number is trending down, but that metric is really pretty worthless.

No matter how ruthlessly trained, somebody (and anybody) will click on a well-enough crafted phish, and it only takes one compromise to breach a network’s defenses. What we should be measuring is the reporting of phishing messages and good communication between employees and the security team. The faster we know an attack is underway, the faster we can respond and mitigate the threat.

In conclusion, you should be less concerned if “somebody is still clicking” phishing messages than if nobody is telling you they clicked, and they resist or lie in embarrassment when asked.


Dear Lesley,

Is there a mental checklist while doing digital forensics to not make your evidence point to your quick conclusions, even if you think you have seen a similar case?

– Jack Reacher Jr.

Dear Jack,

Identifying that this is a problem is a great first step. While intuition is an important part of being a good investigator, sound methodology is even more important. The checklist you use to collect evidence and perform an investigation is going to vary by where you work and what types of things you investigate, but you should always have and follow a checklist – and I recommend it be a paper checklist, not mental.

Don’t ever shortcut or skip steps, even when you’re in a high pressure situation. Shortcuts and assumptions are incredibly dangerous to the legal and technical validity of investigations. Gather all the facts available to you at the time, and document ever step you take so that a colleague (or a legal professional) can follow your work even far in the future.

Finally, always remember that in a digital forensic investigation we are generally providing evidence to reach conclusions about “what, when and how”. “Who” is shaky ground, because in most cases it involves context outside the digital device. “Why” is almost never the business of a forensic analyst (and is indeed often not within the capacity of a company to responsibly answer). If you find yourself looking for evidence to fit a presumed “why” scenario, you have a big problem and you need to step back.


Dear Lesley,

I’m this girl like I said, who just started working in the field, and for the past 4 months, I worked at this huge corporation, who has, among other services, an information security related one, offering technical security (pen testing, …) and non-technical security services. At that time, I had little information about advanced hacking techniques as well as the good practices that should be followed to secure our systems.

During the first weeks I got hacked by someone who’s working with me, and I was harassed and shamed by them since then. I knew it because this person would talk about their findings to everyone, even to non-technical people, in the corporation. People would look at me and laugh, smile, smirk, or look at me pathetically, in addition of other situations.

Knowing that this person is an expert (12 or more years working in information security) and that I don’t have any proofs on their actions, what should I do in your opinion ? What kind of advice would you give to girls and women like me, who want to work in the field but get harassed by their experienced co-workers instead of being encouraged by them ?

– I

Dear I,

Your story gave me pause enough to discuss it substantially with several colleagues in information technology who have also worked in extremely hostile environments.

This is a horrific situation. I want to make it crystal clear that this is utterly shameful on the part of your employer, your infosec colleagues, and your organizations’ corporate culture. I truly hope it does not drive you from our field. The most important thing I can tell you is that this is not your fault. and this is not normal.

The first thing I recommend you do is document everything that’s happening in as much detail as possible, even if you don’t feel you have evidence right now. The activity you’re talking about may not only be harassment, but violate hacking laws. Since device compromise is a concern, please maintain this documentation offline.

What you do next depends on factors you don’t mention in your note. First of all, if you have a trusted supervisor, manager outside your team, or senior mentor in your organization, please turn to them for assistance and ensure they are corroborating what has been happening to you on paper. It’s their responsibility to assist you in resolving the issue at a work center or corporate level, even if they’re not directly in your reporting chain.

If there’s nobody at all you can go to in confidence, the situation becomes substantially more unpleasant. Your options are to ignore the behavior to stick out the requisite ~2 years of entry level security at the organization(obviously the worst option), seek employment elsewhere, or contact an HR representative (with the risk of retribution and legal battles that can bring). Obviously, my personal recommendation is taking you and your computer straight to HR. As a wise colleague of mine pointed out, this is most likely not an isolated incident – the behavior and dismal culture will continue for you and others. Sadly, in some places in the world with less employment protections, this can carry the risk of termination. Keep in mind that it is okay to confidentially consult a lawyer within the terms of your employment contract, and pro bono options may be available.

If HR / legal action is not an option, you can’t find employment elsewhere, and you’re toughing it out to build entry level experience, please network and find a local mentor and support structure outside of your company as soon as possible. As well as much needed emotional support, these people could help you study, network, bite back, and explore other recourse against the employer. Feel free to reach out to me anonymously and we’ll try to connect you with somebody in your area.

Best,
Lesley

Thwart my OSINT Efforts while Binging TV!

There’s been a bit of a social media uproar recently about the data collection practices of people search service FamilyTreeNow. However, it’s certainly not the first, only, (or last) service to provide potentially uncomfortable private information about people on the internet without their knowledge or consent. Even the most technologically disconnected people are frequently searchable.

In conducting OSINT research on people, services like FamilyTreeNow are often a gold mine, and are one of my first stops when I’m searching out useful facts to pivot into more intimate details about a target. Do you really want any casual stranger to know your home address, phone numbers, email addresses, and the names and ages of your kids? While disappearing from the internet completely can be nigh impossible, spending a little time removing easily accessible data can cause frustration and extra work for a nefarious (or nosy) person investigating you. I speak from experience. So, it’s worth taking some time to do, as we always want to make bad guys and gals’ lives harder.

So, grab a snack and a beverage, queue up a TV show to binge watch, and let’s make some quick and easy wins in helping you disappear from the malfeasant public eye. I’ll only ask you do five quick tasks per episode. You can do them during the boring parts.

Before we start, I highly recommend setting up a new webmail account to perform these removals. Almost all of the services require an email to opt out, and many require account registration. Since we’re dealing with firms that collect information about people, it’s sensible to avoid using your day to day or work email.

One last thing! It’s important to remember these services are not always accurate. You may have more than one entry for yourself at any of these services. Make sure to check!

Let’s begin!

  • Let’s get the aforementioned FamilyTreeNow out of the way. Their opt-out form is here: https://www.familytreenow.com/optout. They’ll require you to search for yourself through the opt-out page then click a red “opt out this record” at the top of your entry. (You must repeat this process from the start for every profile you wish to remove.)
  • Next, let’s head over to Instant Checkmate. Their Opt Out form is here: https://www.instantcheckmate.com/optout/ and requires you enter a name, birth date, and a contact email address.
  • We’ll head over to PeekYou, next, which requires you search their database first and provide the numeric profile ID in your page(s) URL, as well as an email address. Their opt out page is: http://www.peekyou.com/about/contact/optout/
  • Next up is Spokeo. You’ll once again need to search for yourself, but this time all you need to do is copy the full URL of your page(s). Then, head here: http://www.spokeo.com/opt_out/new, paste that link and enter your email address.
  • Let’s head to BeenVerified’s opt out page at https://www.beenverified.com/f/optout/search. Simply enter your name and location, select your entry or entries, enter your email, and click the verification link that is immediately sent to you.

SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • So, Whitepages has two different types of profiles – free and paid, and they seem to have little to do with one another in terms of removal. For the free side, you’ll have to sign up for their service to remove entries, (which includes email verification). Once logged in, you simply need to paste the link to your entry here: https://secure.whitepages.com/me/suppressions.
  • For Whitepages Premium, you must open a quick support ticket with their help desk. Full details and the Help interface are here: https://premium.whitepages.com/help#about. You will need to copy and paste the link to your premium profile in the ticket (not the free Whitepages entry).
  • Let’s head over to PeopleFinders, http://www.peoplefinders.com/manage/. This one’s super easy; just use the search box to find your profile, and then click the opt-out button.
  • PeopleSmart is also relatively simple. Search for yourself at https://www.peoplesmart.com/optout-go. You will need to enter an email address and click a verification link.
  • USA People Search’s opt out page is here: https://www.usa-people-search.com/manage/ and simply requires clicking your profile and entering a captcha.

 SNACK, BEVERAGE, NEXT EPISODE BREAK!

  • Let’s head to Radaris, at https://radaris.com/. Search for yourself. Click “full profile”, then click on the down arrow to see the full menu of options. There is one that states “Control Information”. This will prompt you to register for an account with their service and claim your profile as yourself. Once you have done so, you will have the option to “Remove Information” or take your aggregated profile private, at any time.
  • The last information service we’ll tackle today is Peoplelooker, at https://www.peoplelooker.com/f/optout/search. Once again, a relatively easy opt-out process using a verification email.
  • Finally, let’s do a little social media cleanup!
    • If you have a Facebook account, perform a Privacy Checkup. It won’t take too long. Ensure your posts and likes are as private as possible.
    • If you use Google or YouTube services, perform their Privacy Checkup. Once again, ensure nobody but the right friends and family can see your activity.
    • Head to LinkedIn. On the header menu, select Privacy & Settings, then select the “Privacy” tab. Consider how much sensitive detail you are providing about your workplace, their tools and processes, and yourself. Consider restricting certain data on your profile to only connections and members.

Good work! Enjoy the rest of your snack and your show! Be proud that you’ve done some good work cleaning up your public presence, today.

***

It’s important to note that I’ve left a couple services out of this guide that are referenced in other comprehensive lists, (like this one), due to the complexity and frustration of removing data from their services. Notable examples, Intelius (and their many subsidiaries) and US Search unfortunately require a form and photo ID for information removal – the latter by fax or snail mail(!) So, while we won’t tackle these removals while we watch TV and enjoy a nice cold beverage, they are something to consider addressing with a little time and during business hours.

If you are in a sensitive situation and need a clean slate as soon as possible, I do recommend considering a paid data removal service like Abine.

 

Ask Lesley InfoSec Advice Column: 2017-01-19

Thanks for your interesting question submissions to “Ask Lesley”! This column will repeat, on no specific schedule, when I receive interesting questions that are applicable to multiple people. See further details or submit a question, here. Without further ado, today we have OS debates, management communication issues, nation state actors, and career questions galore!



Dear Lesley,

So last year’s Anthem breach was from a nation state – why would a nation state want to hack health insurance info? I understand the identity theft motivation of a criminal, but why do you think a nation state would want this type of data?

– Inquisitive

Dear Inquisitive,

First off, I can’t confirm the details of the Anthem breach – I wasn’t involved in the investigation and haven’t had the privilege of reviewing all the evidence. However, when generally talking about why a state-sponsored actor might want to acquire data, you have to look at a bigger picture than data sets. Nation states usually view hacking as a means to an end. They (ab)use data with a firm political or military objective in mind. Whether a nation state intended to steal 80 million records, or the theft was a crime of opportunity when looking for something more specific, what they stole may unfortunately be useful to them for years to come.

You can obviously already see how the data stolen in a healthcare breach is a treasure trove for general identity theft. The piece I believe you might be missing considers how the data could be combined with other public domain and stolen information to facilitate political objectives. If you already have a target in mind, healthcare data could be a great boon to social engineering, blackmail, and surveillance efforts. For example, consider how much leverage knowing that a target’s child is ill could provide. Or that a target family is hundreds of thousands of dollars in medical debt. These are attractive attack vectors. I can only speculate on potential scenarios, but based on my experience in OSINT, the data stolen from Anthem adds attractive private information about many millions of people.

 


Dear Lesley,

The ‘researcher’ portion of ‘security researcher’ implies graduate school – is PhD study in cybersecurity worth it? There doesn’t seem to be many programs that are worthwhile (except on paper only)

– Not in Debt, Yet


Dear Not in Debt, Yet,

That’s an interesting implication – not one I necessarily agree with based on empirical evidence. I know full time, professional security researchers studying everything from exploits to governance who have every level of formal education, from GEDs to PhDs.  I do see certain fields of security research represented in higher education more than others – a couple examples are high level cryptography and electronic engineering.

I have always been an advocate for higher education and I see little harm and many benefits in getting a good education in a field you enjoy (particularly, a well-rounded education) if you can afford it. However, at the present, there are very few information security careers or communities of research which require a degree, and fewer good quality degree programs. You should see few credential-related barriers to participating in or publishing security research if your work and presentation is good quality.

In some ways, existing exclusively in academia can also make it harder to work in practical security research, as the security field changes more quickly than university curricula can keep up. As a result, some academic security research ends up impractical and theoretical to a fault. (See my yearly rants on steganography papers.) If you go the academic route, choose your field of study carefully, and be careful not to lose touch with the working world.


Dear Lesley,

While working on my 5 BILLION dollar data breach, I wanted some blue cheese dip and chips (The Spice House in Chicago has the best mix btw), a co-worker looked at me with disgust. Am I wrong? Also what’s a good resource to learn about file carving?

– Epicurean EnCE

Dear Epicurean,

Clearly, your coworker is a Ranch dressing fan and should therefore be looked upon with disdain. In regards to file carving, your mission, (should you choose to accept it), is to review how files are physically and logically stored on a hard drive. Next, you’ll want to start familiarizing yourself with typical file headers and footers. Gary Kessler has a pretty killer list, here. Some file types will be more relevant to your specific work in forensics than others; I can’t tell you which those will be.  Your best bet is to pick a couple file types you look at a lot and look at them in a hex editor, then start searching for them in a forensic image.

Brian Carrier’s File System Forensics book, while a bit older, is still a stellar resource for understanding How Disk Stuff Works. SANS SIFT kit includes the tools you will need to get started carving files from disk, and the associated cheat sheets will help with the commands.

If you want to carve files from packet captures, similar header/footer knowledge is required, along with a different tool set. Wireshark’s export alone will often suffice; if it fails, look at Network Miner.


Dear Lesley,

What was the silliest / dumbest thing you’ve googled this week?

– Curious in Cincinnati


Dear Curious,

“The shirt, 2017”

I still don’t get what’s up with that.

 


Dear Lesley,

I teach high school computer science courses and many students biggest interest is infoSec stuff. What should they do to prepare at that age? Any recommendations on software or skills I can teach them? I’m willing to put in the time and effort to learn things to teach and we have class time, but this isn’t what my tech career focused on so I need some help. Thank you, you’re the best!

– Mentor in Michigan

Dear Mentor,

Being a crummy hacker requires learning to use a few tools by following YouTube. Being a good hacker requires a great deal of foundational knowledge about other, less entertaining computer stuff.

The better one knows how computer hardware, operating systems, and networks work, the better he or she will be at hacking. If kids come out of your classes unafraid of taking their own software and hardware apart, you did your job right. That means a lot of thinking about how Windows and Linux function, how computer programs work all the way down to Assembly, and how data gets from point A to point B. If you are going to encourage kids to take stuff apart, make sure they also understand that law and ethics are involved. Provide them a safe and legal sandbox to explore, and explain why it’s important to know how to break things in order to fix them.

As an aside – by high school, kids are more than old enough to be actively participating in the infosec community if they wish. Numerous kids and teens attend and even present at hacker events, these days; in fact, many conferences have educational events and sponsorships specifically for youth.

 


Dear Lesley,

 I normally use a Chromebook, but I also have to use Windows 10 so that I can use Cisco packet tracer (I’m studying CCNA). I really trust the security of my Chromebook, but Windows 10 – not so much. I have antivirus, anti-exploit and anti-ransomware software on my Windows laptop. But my question to you is: Is there a resource that you know of that can help lock down Windows 10 for the home user? Most of what I find is for enterprises and Enterprise versions of Windows 10 and if I do find something for the home user it invariably talks about privacy rather than security.

–  Kerneled Out


Dear Kerneled Out,

The OS wars, while somewhat befuddled by 2016, are alive and well. There are dogmatic Linux fans, and dogmatic Windows fans, and so on and so forth. My opinion is that every OS has its place when used correctly by the right person. Many serious security people I know use every major OS on a daily basis – I sure do.

Swift On Security has a nice guide here on securing Windows 10 that should suit your needs.

As for Chrome over Windows – please don’t fall into the “security by obscurity” trap that MacOS and Chrome can encourage. They are both solid OSes with interesting ideas on security, and viable choices for home and business use cases. However, modern versions are not inherently more or less secure than modern Windows. MacOS, Windows, Chrome, and major Linux distros are as secure as they are configured and used by human beings. Of course, the complexity of configuring them can vary based on user experience and training.

 


Dear Lesley,

How come everyone wants 5 years experience for an entry level infosec job? I’ve been trying to get gainful employment in an offensive role for more than 6 months and no one wants anyone with less than 5 years of pentesting/red teaming experience. Can’t exactly do pen tests until you’re a pentester, so what do I do?

– Frustrated

Dear Frustrated,

I’m sorry to hear you’re having so much trouble finding a position. I have written quite a lot about infosec career paths and job hunting in previous blogs, and I hope that they can assist you a little. Red teaming is unfortunately much harder and more competitive to find work in than Blue teaming, so my suggestions here are not going to be particularly pleasant:

  • Consider your willingness to move. There are simply more red team jobs in places like DC and the west coast.
  • Consider if you can take a lower-paid internship. It sucks, but it’s an in, and pen testing firms do offer them.
  • Consider doing blue team SOC work for a couple years. It’s not exactly your cup of tea, but it will give you solid security experience.
  • Network like crazy. Get to the cons and the meet-ups in person. Talk to people and build relationships.
  • Do research and speak about it. Pick something that intrigues you, even if you have no professional experience, and do a few months work, and submit to a CFP. It will get you name recognition.

Dear Lesley,

Many infosec professionals feel that signature-based antivirus is dead. If that is the case… What do you recommend we replace it with to protect our most vulnerable endpoints (end users) with?

– Sigs Uneasy

Dear Sigs,

That’s the kind of black and white statement that makes a good headline, but exaggerates the truth a bit. Yes, there are a couple companies who have been able to ditch antivirus because of their topology and operations. The vast majority still use it. While signatures alone don’t cut it against quickly replaced and polymorphic threats, other antivirus features, such as HIPS and heuristics, still provide a benefit. (So, if you’re still using some kind of antivirus that can’t do those things, it’s time to upgrade.)

Antivirus today is useful as part of a “defense in depth” solution. It is not a silver bullet, and it’s certainly defeatable. However, it still catches mass malware and the occasional targeted threat. The threats AV misses should be caught by your network IPS, your firewall, your web filters, your application whitelisting solution, and so forth. None of those solutions is bulletproof alone, and even the efficacy of trendy solutions like whitelisting is limited if you don’t architect and administer your network securely.


Dear Lesley,

I was testing a network and found some major flaws. The management doesn’t seem too bothered but I feel the issues are huge. I want to out them because these flaws could impact many innocent people. But if I do, I won’t be hired again. I look forward to your response.

– Vaguely Disturbed

Dear Disturbed,

Before whistle-blowing and potentially getting in legal trouble, I highly recommend you approach this argument from a solid risk management perspective. Sometimes, “it could be hacked” means a lot less to management than, “9 companies in our industry were breached in 2016, and if we are, it will probably cost us over 70 million dollars in lost revenue”. If you have access to anybody with a risk analysis background you can reach out to under the relevant NDA, I highly recommend you have a chat with them and put together a quantified, evidenced argument, ASAP. The more dollar signs and legal cases, the better your chances of winning this.

At the very least, win or lose, ensure you’ve covered your butt. This means written statements and acknowledgements stating you clearly explained the potential risk and also that they willfully chose to ignore it. Not only does requiring a notarized signature make the appearance of threat go up, but it will be helpful in case they decide to blame you or your employer two years from now.

I would suggest you consult a lawyer before breaking NDA or employment contract by whistle blowing, no matter how noble your intentions. I am not a lawyer, nor do I play one on TV.


Dear Lesley,

I make software and web applications that connect to software and services from other companies. Sometimes those companies disable or cripple some features due to possible security exploits. When I’ve met with security people from those companies and asked them about the features they nerfed (disabled or crippled), I’m met with an awkward silence similar to the vague errors I get from their servers. As a developer, I’m so used to the open-source community that wants to help that this feels weird. Is there some certification, secret handshake, or specific brand of white fedora I need to have conversations with security people about their products security issues? Just trying to learn and grow, and not cause a mess for anybody.

– Snubbed

Dear Snubbed,

No secret handshake. Here are a couple suggestions from the receiving end of these types of concerns:

  • Set up a security lab with your applications and a client on it. Install a Snort or Suricata sensor(s) with the free Emerging Threats ruleset in the midst of them to intercept their communication. (Security Onion is a nice, relatively easy to install option.) Send normal application traffic back and forth and see what security signatures are firing on the network.  That will give you some idea of what might be getting blocked before you even start the discussion (and help you reduce false positives).
  • Ensure your applications are getting proper vulnerability testing before release. Again, even if you’re coding securely and responsibly, this can help reduce false positive detection by vulnerability scanners or sensors.
  • Ask the security people what security products or appliances they are using on the hosts and on the network, and what signatures are firing. You might not have access to a 20,000 dollar security appliance to test, but their sensor might have full packet capture functionality or verbose logs that will help you troubleshoot.
  • Try to build a better professional relationship with these teams if you can. If they’re involved in a local security group, perhaps drop by and have a drink with them.

 


Dear Lesley,

I’m feeling it is time to move on from Windows XP, but only because many things no longer support it, and 3Gb is a bit limiting when running VMs and the like. I’ve tried Windows 10, and it is completely alien, and I worry about security – it streams things back to Microsoft, and is less secure than my hardened XP install. I’ve tried Mint Linux, and that was quite good, but underneath it is even more alien than Windows 10. I’ve heard of BSD, but I’m worried that my political career could be over if word about that got out, so I’ve not tried it. What do you suggest?

– Unsupported in UK

Dear Unsupported,

It is indeed high time to move off XP.

Windows XP is unsupported, highly vulnerable, and trivially exploitable by hackers. It is not in the same league as Windows 10 in terms of security. Even application whitelisting (which is considered a bit a last resort silver bullet in industry) isn’t a reliable means of securing XP against attacks anymore.

Yes, there are some IT professionals who dislike Windows 10. Those concerns usually have to do with things like UI, embedded ads and system telemetry, not the underlying security (which is quite well engineered).

If those are your specific concerns, a current version of Mint (which you tried), Ubuntu, or MacOS are all okay options. They would all need to be thoughtfully configured for security just as much as Windows. BSD will feel just as unfamiliar if you were uncomfortable operating in Mint, but I certainly don’t discourage you from giving it a try. Even MacOS is *nix based under the hood.

Unfortunately, it seems to me that you’re stuck with two options if you want to maintain any semblance of security: cope with your dislike of Windows 10, or dedicate some time to learning the inner workings of a new operating system. Either way, please get off XP as soon as possible.


Dear Lesley,

My friend, since birth – who I’ll call M. E., has had a 23-year, jack-of-most-trades career in IT. ME is currently serving as the IT Decider (and Doer) at an SMB financial firm. Over the last five years, ME has enjoyed focusing on security. Technology, security in particular, is still near the top of his hobby list. However, compared to when he started his IT career, ME places a greater value on having a work-life balance. ME wonders if it’s too late for a change to the cyberz – without “starting over.” In your experience, is there a reasonable way for ME to jump from the “IT rail” to the “security rail” without touching the third rail and returning to Go, without collecting $200?

– ME’s Friend

Dear ME’s Friend,

Your ‘friend’ sounds like a great candidate for many security positions, but he or she might have to take a pay cut. 23 years of experience in systems administration and networking is 23 years of experience in how to take things apart, which is really mostly what security is behind the neat hats and the techno music.

ME is going to need to figure out two important things. Firstly, ME will need to gain some security-specific vocabulary to tie things together – a course or certification might be a nice feather in the cap. Then, ME is going to have to carefully plan out how to present him or herself as an Awesome Security Candidate in interviews and resumes. That will involve taking those 23 years of generalized experience, as well as security hobby work, and selling them as 23 years of Awesome Security Experience. For example, it takes a lot of understanding of Windows administration and scripting to be a good Windows pen tester. Or, it takes a lot of TCP/IP knowledge to do packet analysis of an IPS signature fire. Every niche of security requires deep knowledge of one or more areas of general IT.

All that being said, there are some security skills that need to be learned on the job. I wouldn’t push ME towards an entry level gig, but it may not be an easy lateral move to any senior technical position, either. A good segue if seniority is critical might be security engineering (IPS / SIEM / log aggregation administration, etc).


Dear Lesley,

How does an organization go about starting a patch testing program? Ours seems to be stuck in a “don’t update it, you’ll break the application” mindset. –

– TarPitted in Texas

Dear TarPitted,

As I noted to a reader above, sometimes this type of impasse with management can only be solved through presenting things as quantifiable risk. If you are telling management that your application is vulnerable, and they are saying it will cost too much if it breaks when you patch it, somebody else is quantifying risk better than you. You’d best believe that team saying, “the application might break” is also saying, “if this application breaks, it will cost us n dollars a day”. So, play that game. Tell management specifically how much money and time they stand to lose if a security incident occurs. Present this risk clearly – get help if you need to from all of the impacted teams, your disaster recovery and risk management professionals, and even your finance team.

Your managers should be making a decision based on monetary and other quantifiable business impact of the application going down for patching, vs. the monetary and other quantifiable business impacts of a potential security incident at x likelihood. Once they do that on paper, you’ve done due diligence.