Ok, this is my last time bringing up thoughts that were originally placed into my head last month. Although, BSides-ATL is right around the corner, so I expect a good couple months worth of material from that event.*
I don’t feel too bad about this post being so late as it’s one of infosec’s oldest, well-known and most disagreed on topics “Given limited resources and a network to protect, where do you focus your efforts?” For an efficiency dork like me this translates to “What can I implement that has the most impact for the least amount of resource utilization?” Without further ado, here are my answers in order of most-effect/least resource heavy.
Patching
This is at the top of my list because, hey, it’s a service provided by vendors (read: FREE.99) and it mitigates most vulnerabilities running in the wild. Even in industries where applying patches is impossible due to sensitive systems, this at least forces you to inventory your most vulnerable systems are allowing you to take further steps (placing devices on a DMZ, monitoring them more closely, etc.) to prevent/detect malicious activity. I’ve heard it said that a patch focused security program forces you to rely too heavily on your vendors, but in a resource restricted environment, I don’t find this to be a deal breaker. Zero day attacks are still extremely rare in the real world (not to mention, basically indefensible anyway), so making sure your network is protected against the common Blaster Worm through aggressive patching nets you a pretty great bang for your buck.
User Education
Another area I believe you can make a large impact with minimal resources is user education. Aggressive patching can help secure you from the most common threats and combining that with smart and savvy users (read: one’s who don’t just click crap because an email told them too) just ices the cake. As you can see, most of my resource deprived program is based on Benny’s old adage about an ounce of prevention. Don’t just fight for the user Tron. Enlist the user and empower them to fight along side you.
PEOPLE, stupid
Last, but never least, and certainly your number one priority when you can afford it is surrounding yourself with the right people. Good people are priceless, but they definitely will cost you and rightfully so. However, all this talk about SIEM being dead and log management being the suxX0rs, all I have to say is put a badass analyst in front of the console and the value added will be obvious.
END
Except to say come to BSides.
*At a rate of one post per bi-monthly.
Last Wednesday our friendly neighborhood NAISG group got together, as we are wont to do once a month, and enjoyed a lively roundtable discussion featuring Mike, Chris, Jeff and moderated by Martin. If you’re in Atlanta and interested in security, I highly recommend coming to hang out with us at a meetup. Always great talks, networking and you’re guaranteed at least one free beer.
BUT I DIGRESS
Being the dunce that I am, it’s tough for me to formulate words, let alone ideas while others are “pontificating” so I figured I’d dump my post script regarding a couple of the questions tossed out here.
One question Martin asked that made me think was Is Infosec Harder Now?
I think it’s pretty safe to say infosec is a much different game than it was 10 years ago. Hackers found a way to make money off of attacks which in turn has increased their volume and complexity. The victims are higher profile with more to lose and attacks are more frequent, consistent and harder to detect. The stakes are higher than ever.
BUT
Detection and prevention technology has also increased. We’ve managed to monetize the defense of networks, and as fast as the bad guys can crank out malicious code, researchers are breaking it down and analyzing it. Does the offense still have the upper hand? You bet. But we’ve got experienced leaders now and we’re holding the line for the most part.
HOWEVER
“Smurf works again!”
-Boris re: IPv6 on ISD Ep. 495
One problem I see occasionally arise with the next gen industry folks (my peer group) is the issue of only being familiar with current baseline that exists. We’ve pushed and protected and gained some ground as an industry, but it’s important to not forget the old attack vectors. We have to be familiar with the legacy attack patterns, what they looks like and how to stop them. It makes no sense to defend from the latest and greatest threats if you’re susceptible to a vulnerability from 1998. Living through the creation of new attacks where you had to scramble to implement defenses on the fly really drills that attack into your head and this is an area where those more experienced in old school trench warfare can help mitigate through training and mentorship.
TL;DR
Yes, security is harder now, but we’re better at it. And continually training new guys in the old ways while building on modern knowledge will keep that trend going.
Pt. 2 eventually!
Just another security blog to document the steps I’m taking to fail less. I ported a couple old posts over here, mostly because I think they’re funny.
Protip #1: Hi, I’m Kyle and this is my blog! I like cursing, run-on sentences and internet memes. I don’t like: people who give my industry a bad name. You’ve been warned.
Protip #2: This post is wordy. For the tl:dr version, click here. For the one word summary, click here.
Back in June of 2k10, when the World was young, I wrote this post, mostly for the lulz, but also because Greg Evans is doing it wrong. And by “it”, I mean his life, company and the internet in general. If you don’t care to read my drivel, let me sum it up for you: Greg Evens, look at your life, look at your choices. This morning I found this gem in my inbox:
Wow! Well this is the Real Gregory Evans. Kyle I would think you would be bigger than that. See everyone went and wrote all this bullshite and did not even speak to me. So since we are in the same city and I no you just moved her you can come see me or I could come see you. Then you can speak to me and then write what you want.
Call me 866-354-4288 Ext. 5673
Gregory Evans
The Best That Ever Did It.
Now I’m not sure if this is legit or not, though the Disqus notification did come with an Atlanta IP attached to the comment that resolves to an ISP that he has been associated with in the past, and there are the usual Evans typos and misinformed facts (I’ve lived in Atlanta over half my life), but I thought he was currently in Vegas. Though maybe he was just reminiscing about how great it is. (edit: link removed, his twitter account has been suspended)
If this is actually fake, then epic troll is epic. So assuming this really is you Greg, let’s have an open conversation, on the internet, where you can’t “Chris John Riley” me (yes, it’s a verb) and claim I did something that I can’t prove I didn’t - and that you can’t prove I did - even though the onus probandi is always on the person making claims and Skype keeps logs of fucking EVERYTHING. See, I don’t have the clout and reputation of Chris and though it’s nearly universally accepted that you are a liar, I don’t really want to have to deal with that nonsense.
I’m not sure why you chose to respond to my post on my rinky dink tumblr-log that contains mostly funny youtube videos and photos of half naked girls. And with your real name even, not the usual fake commenter account! I feel like the prettiest girl at the dance. Maybe you felt that I am a kindred spirit because I live in Atlanta or because I talk like those guys you hung out with in the clink, regardless, thank you for responding with a date offer (?) even if 1) You didn’t actually address any of my points, and 2) were 6 months late. In the time since I wrote that post (swearing it to be my last), you’ve surprised me and gone even bat-shittier crazy.
But seriously man, I’m more hack than hacker. While I’m going to have to go ahead and preemptively turn down what I can only assume is a LIGATT Board of Directors position (Chief n00b In Charge of Everything), you should respond to people who can actually help with your situation. indi303 is a pretty cool bro who infosecs and doesn’t afraid of anything and will give you a fair chance to speak on his podcast. Plus Nickerson has already offered to out hack you for a million dollars in the dumbest bet you’ve ever made since gambling that AT&T wouldn’t turn you into the feds for fraud (NOT HACKING). Andy, Martin and the gang might tolerate you for… minutes if you’re lucky, longer if you’re apologetic and honest. Plenty of people have reached out to you, here’s a piece of advice though if you decide to, you know, address someone with an audience: Remember to stop talking to breathe occasionally*, which you forgot to do when Tom and Matt hosted you.
*I move away from the mic to breathe.
Which brings me to another point, what’s with this “woe is me, people don’t talk to me so I can’t defend myself” shit? Look up at the url, now back at me, now back to the url and back… to… me. Do you see that url? That’s my name, sadly it’s not your name, but if you got your own fucking website, it could be your name. Oh wait, you already have a site. Dude, FUCKING USE IT. For more than just linking to other peoples articles preferably. You see, how the internet works is that when I want to share ideas with people, I write it here, then they see it and can respond. This creates what we social media experts like myself call a “dialog”. So if someone criticizes me for something, I can defend myself here (assuming tumblr is up, hi-yo!), and we can spark a conversation on the matter if need be. Try it for yourself, you might like it!
But hey, if you are still gung ho about bro-ing out despite my obvious vitriol, feel free to come by the Gordon Biersch in Buckhead this Wednesday at 6pm. You can buy me a drink and try to sweet talk my metaphoric pants off. Maybe I could help with your image because, hell, my ‘no reputation’ is still better than your negative one.
Be prepared, however, to address the following points (and yes, a PowerPoint Presentation will be acceptable):
1) Plagiarism - If you really have the rights to use the documents you published in your book “How to Be the World’s No. 1 Hacker” or whatever nonsense, then you should have the paperwork stating so. I want to see it. With all the lawsuits you file, I’m sure your team of lawyers is on standby just waiting for your orders. Tell them to get cracking.
2) Cyber Bullying - Come on man, posting peoples addresses? That’s not cool or an effective way to get a point across. Even if Kris did anything at all which warranted retaliation, which there is no evidence of btw, that was not the answer. All you showed was your power of ignorance. And what’s with the nerd bashing? You call the community ‘nerds’, but then sometimes you say nerds are better than jocks, but then you say we couldn’t get jobs at the geek squad but then you want us to buy your awkward and racist t-shits? I am confuse.
3) Creating Fake Accounts to Defend Yourself - Strange and different names with the same IP address popping up all over the web. The same IP found in emails sent by your PR department. *cough*0ph3lia*cough*. Oh hai, look look at this fucking comment.
4) Slander & (attempted) Profiting off of Slander - I know you said the Skype logs mysteriously disappeared after the notorious incident with Mr. Riley. Luckily we have several members of the Atlanta infosec community who are forensic experts and would happily donate their time to recover said files. Just bring your computer, and we’ll get it imaged and have that missing proof in no time. And really, did you think selling “I am a Racist” t-shirts was a good idea? Or the race specific ones that got you accused of racism? The World’s best hackers are white? Congrats, the guys over on StormFront are now your biggest fans.
5) Identity Fraud - Another ironic one. Do you really need to pad your resume so badly? And no, a link to the wayback machine pointing to an older site you USED to lie about your credentials on will not be considered acceptable proof.
6) Hurting the Race Debate - Remember the boy who cried wolf? Well you are the man who cried racism. Seriously, by claiming racism when there is none, you actively hurt the very real ongoing discussion about race that exists in America. I’ll chalk this up to yet another example of you intentionally seeking to destroy a community you claim to be a part of.
7) The mother fucking Cyber Wars - Jesus Christ, what were you trying to accomplish with that retardation? You claimed it wasn’t you BUT THE DEFAULT WORDPRESS ACCOUNT WAS ‘NO1HACKER’. The default emails dumped from the databases were once again the poor, poor unfortunate people who have to put up with your crazy in the LIGATT PR department. I mean, these are hard facts that you just deny and then pretend don’t exist. I MEAN WHAT THE FUCKING FUCK.
Basically just go through the Errata page and bring hard counters for every single article. Jesus.
At our meeting I’m also prepared to accept an offer to purchase the domainlolgattsecurity.com which I purchased many moons ago thinking it (correctly) hi-larious, but had recently and coincidentally (adverb overload) been planning on turning into a central repository dump for my occasional security gurgitations and regurgitations. My opening offer is $50,000 but we can pin down the exact figure in person. And also, I know your finger is on that button to speed dial your lawyers, but satire is actually protected free speech in America.
Or, here’s a novel idea: just fucking man up, apologize for said mistakes, swear they will never happen again and then FOLLOW THROUGH, you know, like GOOD PEOPLE DO. It’s not even necessary for you to contribute positively to the community, just stop trying to destroy it.
Gregory D. Evans wants 2 b my bffl.
Or fight me.
When really he should just stop being a liar and a dick.
THE END
**alternate title:
Let’s have a post for the douchebags,
Let’s have a post for the assholes,
Let’s have a post for LIGATT,
Cause they’re the biggest ones I know.
Let’s have a post for the jerkoffs,
That can only rip you off,
Baby if you need a scan,
AmIHackerProof is a scam.
with props and apologies to Kanye for the hook.
This is a good summary of the LIGATT saga thus far. Basically a guy who once went to prison for wire fraud now markets himself as the “World’s Number 1 Hacker”, despite the fact that his case didn’t really involve any sort of network intrusion from what I can tell. According to Errata, he obtained toll free phone lines, resold them, and never paid AT&T. Since then he’s effectively marketed himself as a hacker in order to peddle security services. I have no problem with that, Mitnick does the same thing. If someone is too stupid to figure out you are actually full of shit then they deserved to get robbed. So his business is based out of Atlanta, and despite both living in Atlanta and being a Padawan learner in the local InfoSec community, I had never heard of Mr. Evans until a couple of weeks ago when all this hit the fan. Even though the Exotic Liability guys said that Atlantians can’t read (whatever, I know they love our strip clubs), Atlanta is one of the nation’s security hubs (only behind DC & Boston, I think. Thanks ISS!) and we have an awesome local InfoSec community. InfoSec guys, on average, tend to be smart motherfuckers. I consider myself quick on the uptake, but I am literally humbled daily by the people in my industry. The guys I work with alone are geniuses, and the people involved in the Atlanta scene, in general, blow me away (miss u Martin+Andy). I consider myself so lucky to have all these super smart people around me. Even more impressive is the way the community will take people in, accept them and offer guidance, without judgments or caring what you know, as long as you’re willing to learn and do the work. The real error he made was trying to “hustle” (his words, not mine) the InfoSec industry, instead of just the retarded members of the media. See, in business and sales, you can be full of shit. In fact, the friends I know in those industries seem to make more money the more full of shit they are. But that doesn’t fly in our business. You need to know your shit. Your commissions and numbers don’t matter, we are a people with a knowledge based economy. So Greg Evans has been telling the truth about one thing. He is most definitely a hustler. While it’s probably not true that he’s making the millions of dollars he claims (I know a couple people worth 1m+ and the richer they are the less they seem to want people to know it), I’m sure he makes a living due to his marketing skills. And so does the guy by the MARTA station hustling bootleg DVDs. And just like him, Evans is really good at selling cheap, shitty versions of original content made by others. Evans has as much claim to the “hacker” title as that guy has to the “director” credit of this shaky cam edition of Toy Story 3 I just bought. I’m not going to address his claims of being the only black InfoSec guy at conferences because it would just be me naming all the black people I know in the industry and that’s pretty fucking stupid. Just take my word that he’s not. I’m not even going to delve into his bogus charges of racism either, but suffice to say thatEvan’s use of a white girl’s picture as the avatar for an article “attributed” (the article was actually stolen) to a black researcher who works for him is by far the most offensive form of racism I’ve seen in the community during my 3+ years as an engineer. Sage goes in all fields with regards to LIGATT. Except on twitter, because this shit is still hilarious.
Simian Mobile Disco - Hustler