Equifax breach.... WTF

I'm linking here an article from the New York Times: Equifax’s Instructions Are Confusing. Here’s What to Do Now.

It’s time for all of us to play defense, because Equifax clearly did not.

In the wake of the epic breach of as many as 143 million of our Social Security numbers, names and addresses from the company’s credit files, the company put up a website that attempted to make sense of things for consumers.

The company’s first order of business ought to have been to create a simple way for people to figure out if their data was potentially compromised. On this count, Equifax failed at first.

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

Why am I pointing to this article (which you should go and read)? Because this is getting ridiculous. Credit companies have so much personal information, information we DO NOT want them to have, but we are forced to give it to them by the way the BS credit system works in this country.
It's time for the credit companies and the whole financial industry to get its act together with security. We are the ones suffering from their lack of basic security - yes, at that level basic security also means red teaming, pentesting, and a whole lot more things, not just the stupid PCI checklist or the cover your ass checklist.



Here's a great article from Arstechnica that points to some really bad things.

For starters, the page they have set up: www.equifaxsecurity2017.com
It does look like a phishing domain, righr? On top of that, quoting Arstechnica:

It runs on a stock installation WordPress, a content management system that doesn't provide the enterprise-grade security required for a site that asks people to provide their last name and all but three digits of their Social Security number. The TLS certificate doesn't perform proper revocation checks. Worse still, the domain name isn't registered to Equifax, and its format looks like precisely the kind of thing a criminal operation might use to steal people's details. It's no surprise that Cisco-owned Open DNS was blocking access to the site and warning it was a suspected phishing threat.

And then...

Screen Shot 2017-09-10 at 5.52.32 AM.png

I tried to see if my info was stolen, so of course I entered my real name and my real last 6 of my SSN:

Name: Bubufuck
Kast 6 of SSN: 123456

But then I tried all my friends' information. I entered 21 random strings of text and 21 random last 6 SSN, they were ALL compromised! Man, these hackers were good!

The best is when Equifax leaves debugging info for security purposes:

Yes, go read the whole article, but it's not surprising that 3 high level execs sold their stock right before announcing the (several weeks old) breach.


From The Verge's article

Screen Shot 2017-09-11 at 5.55.24 AM.png

Quote of the day

“I really try to put myself in uncomfortable situations. Complacency is my enemy.”

— Trent Reznor

Quote of the day

“There’s always a degree of randomness involved.”

— Alex Honnold

Strategic Red Teaming: The Job Description

Our friends at the Red Team Journal posted a notional job descrition for a "Strategic Red Team Director". This provides a good list of what's needed on a Red Team, an what a Red Team should be on an organization. Yes, it's not pentesting.
Go read it.

This is an excellent opportunity for an experienced, forward-looking red teamer to build a world-class red teaming capability at a prominent global organization. The successful Strategic Red Team Director will lead the enterprise’s efforts in adopting and maintaining a system-wide view of threat-driven risks, with the goal of working with senior management to control these risks.

Access codes

Thank you all so much for the support!

We just sent out the access code for the forumn and private area of the blog. Please check your inboxes. The forum will be up and running in a few weeks. So keep an eye on the blog.

In several cases, Paypal didn't attach an email address, so if you haven't received the code, please use the contact form to let us know, and we will send it right out to you.

Again, thank you.

Update on the forum

Everyone: the team is currently deployed on a incident response project. This has delayed the forum coding and sending of codes for the people that donated. The guys writing the code for the forum are currently overseas. This will be over soon and we'll get back to work.


Personal Principles

Note: Originally posted on my personal blog.

  1. Simple and light.
  2. Have a PACE for everything.
  3. Make it asymmetrical, stack advantages.
  4. Act, don't react.
  5. Target dictates the weapon and the weapon dictates the movement.

These are principles that have helped me across a variety of activities: war, alpine climbing, work, red teaming, hard times...
I tried to simplify the concepts as much as I could, focusing on things that can be applied together.

1. Simple and light

Keep everything simple. Simple things are easy to change when you need to. Simple plans will adapt better to the ever-changing conditions in the field. Simple things are easy to understand and explain, especially under stress.
I also believe in being nimble. Being light allows you to move faster, more fluently. Being light allows you to be more efficient.

2. Have a PACE for everything

PACE: Primary, Alternate, Contingency and Emergency. A military way of building a communication plan. However it can be applied to all planning and things.
It's about having a Plan B, but also understanding that everything will eventually fail. Have contingencies and an escape plan. Be ready for the worst. When it happens, you'll know what to do.

3. Make it asymmetrical, stack advantages

It's not what you do, it's when and how you do it. It's making sure the odds are in your favor. If you want to be successful you have to make it happen. Fight with small team tactics, a guerrilla. Make things stack in your favor. Then execute.

4. Act, don't react

Don't wait for things to happen, be proactive. Go for it and be ready. It's too late if you have to react after something happened. Red team it. Plan 2-3 steps ahead, and make it asymmetrical!

5. Target dictates the weapon and the weapon dictates the movement

Don't get caught on a technique, or a method, or a tool, or on planning. Things are dynamic and they depend on your target. Once you know your target (whar you want to achieve), you can then decide what weapon (technique, tools, etc) you need to use to hit that target (or to work with, defuse, assess, build, etc). Once you know the weapon, then you'll be able to understand how you will need to move and reach that target. In other words, don't be stuck on a technique or tool, adapt it to the target, focus on understanding what is the best tool or technique to achive that target, and then you'll be able to plan (move) to make it happen.

(Note: this principle was taught to me by Richard "Mack" Machowicz, one of the most interesting people I've met. Unfortunatelly, he is no longer with us. Thank you for all Mack!)

GORUCK Constellation

Urban ops... Survival.. Thinking like a bad guy to overcome difficulties... Yes, the GORUCK Constellation.

Come join... Get your mindset right. Who know, you might see us there...

Quote of the day

"Hacking takes time. Developing the tool chain takes time, recon takes time, sometimes systems get hardened and the optimal time to hack them was in the past, and so on and so on. The best time to collect intelligence about an adversary is before you need it."

-- the grugq: Idle Thoughts on Cyber