February 2012
40 posts
12 hours - Part 1.
Jim and I carefully approached the parking lot. It was almost 6:30 PM.
We found a vantage point near a restaurant right across the street from the parking lot, we climbed onto a container located on side of the restaurant and we prepared our gear. We had with us a couple of BARSKA Blackhawk scopes with tripods. At this distance those scopes were more than enough. We also had with us a night...
“Test yourself. Put yourself in the attacker’s shoes. If you were to penetrate...”
– Me
1 tag
Basic security and situational awareness
Originally posted on October 2011.
These points were taught to me while I was doing a counterterrorism course in the military and refer to physical security, however with little to no change they can also be applied to information security:
Be aware that a threat ALWAYS exist and that the target of that threat can be you. It doesn’t matter if you don’t see it or if you don’t know of a certain...
Ten days left for the logo submission
I’m looking for a logo that will represent Red Teams. Some of the readers have submitted awesome logos.
So as a reminder, I am opening a contest: submit your design for a logo to be used in Red Teams. The rules are simple, the logo has to be clear enough that it could be used as the main logo for the blog and as the icon for it. Also, it is a logo, too much text will defeat the purpose.
...
1 tag
Field Tested →
Because a lot of people were asking the same questions. Here’s the about.
“If you think technology can solve your security problems, then you don’t...”
– Bruce Schneier
“…the modern enterprise is too complex for any individual or group to...”
– The Centrality of Red Teaming
1 tag
Getting information, by any means...
During a project where I helped law enforcement officials track a high-ranking fraud criminal, we run into a problem. The criminal had his computer protected with a BIOS password.
Part of the project called for a little deception so I could sneak into the criminal’s hotel room (with permission of the law enforcement agency) and search his laptop’s hard drive, extract any useful...
I Want to Detect and Respond to Intruders But I... →
Richard Bejtlich:
“I want to detect and respond to intruders but I don’t know where to start!” This is a common question. Maybe you have a new security role in an organization, or a new service or business in your current organization, or some other situation where you want to find and stop attackers. However, you have no idea where to begin. Do you have the data you need? If...
“The anguish of low quality lingers long after the sweetness of low cost is...”
– Unknown
“Red Teams transform theoretical intrusion scenarios into reality in a controlled...”
– The Centrality of Red Teaming
Black Hat Budgeting | Richard Bejtlich →
Richard Bejtlich wrote this back in 2009. It is still very much the same today, only worse.
Earlier this month I wondered How much to spend on digital security. I’d like to put that question in a different light by imagining what a black hat could do with a $1 million budget.
[…]
… I submit that for $1 million per year an adversary could fund a Western-salaried...
“Asume nothing.”
– The Moscow Rules
“The superior man, when resting in safety, does not forget that danger may come....”
– Confucius (551 BC – 479 BC)
Traveling Light in a Time of Digital Thievery →
When Kenneth G. Lieberthal, a China expert at the Brookings Institution, travels to that country, he follows a routine that seems straight from a spy film.
He leaves his cellphone and laptop at home and instead brings “loaner” devices, which he erases before he leaves the United States and wipes clean the minute he returns. In China, he disables Bluetooth and Wi-Fi, never lets his phone...
“Securing an environment of Windows platforms from abuse - external or internal -...”
– Gene Spafford
Logo Submission
Because I won’t be available the last week of Feb, I am extending the deadline to March 6.
Get your logos coming! More info here.
“I find that standing outside the front door smoking a cig is an easy way to get...”
– Drew Simonis
“Amateurs hack systems, professionals hack people.”
– Bruce Schneier
“Let us not look back in anger or forward in fear, but around in awareness.”
– James Thurber
Certifications? Why?
So the market is forcing me to get one of the security certifications, like the CISSP. It doesn’t matter that I have more then 15 years of experince and pretty much saw each case those certifications cover first hand. Sure, I can pass the exam but I don’t see the point, besides they charge you an enormity for it and you need to maintain it each year by paying more money. It’s all...
Offensive security research community helping bad... →
Adobe security chief Brad Arkin has a message for the benevolent security research community: Your work is driving down the cost and complexities of attacks against computer networks.
During a keynote presentation at the Kaspersky security analyst summit (see disclosure), Arkin said the intellectual pursuit of exploiting software vulnerabilities and defeating mitigations is simply...
4 tags
Myke asked: Can you described the reason for each item on your kit?
Well, a lot has been already explained in here and in here. Also I have a little blog that describes the gear I usually carry with me: On Me.
However, this is the current default
Clockwise from left:
Field Notes. I use this to take notes on the fly during recons. The notepad is simple and lightweight.
SureFire Pen II....
Undisclosed
You know that undisclosed location? Yeah, that one.
I’m not there. I am on another undisclosed location.
3 tags
Man in the middle - literally.
When I am performing a physical penetration test I like to call someone at the target and ease my way in if possible. These people usually are either secretaries or IT personnel. Secretaries are so busy that it is relatively easy to convince them to set meetings (this gives you a reason to be at the premises) or to download interesting marketing material, otherwise known as weaponized Word...
Good reasons to use a Red Team
A Red Team identifies vulnerabilities overlooked by system developers and defenders.
Red Teams can demonstrate potential harm a real attacker could inflict.
Red Teams contribute to the selection of cost-effective countermeasures.
(via MITRE - Defense-Information Assurance Red Team)
“Defined loosely, red teaming is the practice of viewing a problem from an...”
– Red Team Journa - Red Teaming and Alternative Analysis
3 tags
Fieldcraft for Digital Operations
Penetration tests, risks and vulnerability assessments, Red Team operations and others fall under what I call digital operations (DO).
In a lot of cases DO is done from the safety and comfort of an office, however a lot of times it is done in the field. Performing DO in the field can be challenging and sometimes, depending on the operation, dangerous. There are several reasons for performing DO...
Gear give away
Well, I decided to finally get a logo for Red Teams and I wanted to see if any of the readers wanted to help with the design. So I am opening a contest: submit your design for a logo to be used in Red Teams.
The rules are simple, the logo has to be clear enough that it could be used as the main logo for the blog and as the icon for it.
The winner gets to choose from the following gear
CRKT...
TSA protecting us... No, really →
No comments. You have to read the article.
Social Engineering
Social engineering is the art of hacking people. People are essentially good and are willing to help; social engineering exploits that.
It’s a great skill to have in the world of red teaming and information security, and while it’s not a new thing we’ve been hearing a lot about it lately: in the RSA, Lockheed Martin and other attacks recently the technique used was something the infosec world...
The "Team" in Red Team
As the name implies a Red Team is a team. In the world of information and computer security it is comprised by a variety of experts in different areas. Each member can perform the other’s duty but each one has a specialty and he or she is responsible for it.
In the company I used to work for a few years ago we had a six men team, four members doing the actual work (we called them Alphas), one...
Bugging Out with Personal Information | ITS... →
A copy of your personal information should always be included as part of a bug-out bag or evactuation kit. I have often been asked why we need this information and have had people say that they have this information secured in a safe in their home.
Is that information actually safe? Are you certain that your safe will survive a major fire? What if a tornado destroys or removes you house...
January 2012
47 posts
“You are what you do when it counts.”
– The Masao (Armor, by John Steakley)
How SCADA highlights the futility of finding... →
Many (but not all) researchers seek out vulnerabilities in an attempt to reduce risk. However, they ignore the threat component. And that means that, in order for risk to be reduced, any reduction in vulnerability level must be greater than the increase in the threat levels. Even though most vulnerabilities are never exploited, there are a number of examples from the past that show that more...
The Art of Cyberwar | Kenneth Geers →
An interesting article with some really goof points about the difficulty of dealing cyber attackers and properly defending your system.
The establishment of the US Cyber Command in 2010 confirmed that cyberspace is a new domain of warfare. The computer is not only a target but also a weapon. Therefore, national security thinkers must find a way to incorporate cyberattacks and defense into...
1 tag
The fieldcraft guide For digital operations -... →
This previous post got me thinking and I put together a little guide. It is still a draft, but what do you think?