Saturday, September 3, 2016

2016 Security Awareness Training

The videos of this year's security awareness training are now available online at

This year's training begins with a discussion on ransomware, and includes a video demonstration of ransomware actively infecting a computer, all because a user enabled macros on a malicious Word document.  It continues with a fun discussion on the "Internet of Things". We make fun of it and show a bit of its creepy side, and also discuss the serious side of having everything connected.

Part 2 includes a hacking demonstration, where we talk about how modern Windows management tools are being used by bad guys to easily bypass a computer's defenses.  We demonstrate the hack using a special USB key that emulates a keyboard, and gives us (the bad guys) easy access to our victim's computer.  We steal some passwords, install a keylogger, and laterally move over to a computer on the service desk, just in time to spy on our service desk superstar.

Part 3 discusses how to defend against this hack and emphasizes that, as humans, the best anti-virus we have is our brain.  We then review passphrases and password management, with an emphasis on using password managers.  A great video by 1Password shows us just how useful they are.

Part 4 completes our discussion by looking at more tools and techniques we can use to protect ourselves.  We review Andrew Case's browser compartmentalization that helps us defend against scripting attacks.  We discuss quite a few must-have browser plugins for both FireFox and Chrome that will greatly enhance our browsing security.

Saturday, March 12, 2016

The Commonalities of Fly Fishing, Pentesting and Social Engineering

I spend a lot of time thinking about these topics, so seeing illustrations of them in each other is expected.  This post is intended to share some of these.  But first, some concept definitions.

Pentesting is the art of testing an organization's defenses and security posture by exploiting (with appropriate written permission) computer software, hardware, and in the case of social engineering, people.

Social engineering is the art of getting someone to do something that they would not normally do (the psychological manipulation of people into performing actions or divulging confidential information).  It is not uncommon to obtain remote access to an organization's network via social engineering someone to execute a backdoor (by sending them a carefully crafted email with the backdoor as a link or an attachment), or by physically gaining access to one of their computers within their facilities.

Fly Fishing is an angling method in which an artificial "fly" is used to catch fish.

Sometimes fly fishing feels like a form of social engineering.  What I mean is that when we fish with artificial flies, we are essentially lying to fish.  We are putting something right in front of them that is fake, something that may or may not closely resemble something that they eat, and hoping they will fall for it.  I generally spend most of my time fly fishing for wild trout in mountain streams.  And if you didn't already know, trout are way smarter than we think they are. Which is why fly fishing is not easy, is a lifelong learning process, and is so incredibly interesting and fun.

That's essentially what we do when we attempt to socially engineer someone.  We put something fake in front of them that looks so real that they will fall for it.  And that fake thing often gives us access to networks and computers and facilities that we need to complete our penetration testing engagements.

Here are some thoughts from fly fishing on its similarities to to social engineering and pentesting...

Preparation.  It's about choosing the right fly for the fishing situation.  That's way harder than it seems.  Trout are picky about what they eat, and unless they are extremely hungry, they focus on what they expect to see.  They see Midges in the water, emergers on the surface, or mayflies falling to the surface.  Trout flies need to match (as closely as possible) what the trout expect on that day (and even that time of day).  It's often referred to as "matching the hatch", which makes a basic understanding of entomology very important.  It's often a hit-and-miss thing, where you have to try quite a few different flies before one works.  And you are doing this in an environment that is their home, not yours. It's not an easy thing to do, and if it was I probably wouldn't be very interested.

Preparation for a social engineering attempt is similar, especially if it's a targeted attempt.  We have to create and present something that the user would expect, or at least make it look like something they would consider legitimate.  That involves understanding what's normal in an organization, and includes knowing who knows who, who know what, who trusts who, etc.  Similar to knowing bug entomology and what trout eat, you must know your target.  If you are targeting a "big fish", you will definitely have to "match the hatch", focusing on the people and events that the target knows and finds relevant, making it harder to resist.
Presentation. This is one of the hardest parts of fly fishing.  It involves good casting techniques to place the fly exactly where you want it so it drifts naturally in front of the trout.  The cast has to land just right so as to not scare the trout away.  Good casting and presentation techniques take a long time to master.  Then comes the drift.  The fly has to drift naturally without "drag", as if it is floating or swimming in a manner a real bug in the water would.  It has to look real to the trout.  That isn't easy, because you have a fly line in between you and your fly.  Currents are often different in different sides of the river.  "Mending" the line is critical to maintain a "dead drift" so your fly line doesn't disturb the natural drift of the fly. If a fly acts differently in the water than a real bug does, trout are are smart enough to know to ignore it.

Watching some of Jayson Street's (@jaysonstreet) talks on physical pentesting remind me of this concept.  Jason walks into physical facilities (with proper permission from the facility owners) and pretends to be somebody who is supposed to be there.  His goal is to infiltrate their facility and demonstrate its security weaknesses. He's really good at it too. His presentation isn't nervous or out-of-place at all.  It is natural and relaxed.  That gives those he is trying to trick a sense of ease and normality.  People give him what he wants and needs.  He looks "normal."  It's a perfect "dead drift" and it works time after time.

Setting the hook and the fight.  The trout takes the fly.  But do you know for sure it's a trout (unless your fish literally jumped out of the water for it)?  What if your fly just bumped on a rock as it is floating by?  Setting the hook with subtle tugs whenever the line or fly appears to stop is very important.  Because when trout initially take a fly, they quickly realize it isn't real and will attempt to spit it out.  Split second action is critical to set the hook. And when you realize you have a fish on, the adrenaline hits big time.

I usually only end up "landing" the fish I hook (getting the fish to the net) only about 70% of the time (fishing exaggeration in progress ;).  That's partly because I fish with barbless hooks (hooks without a "barb" that normally keeps the fish from being able to easily get off the hook). I "catch and release" wild trout.  That means I try to get them to the net safely so they can easily recover from the fight.  Then I take a selfie with them, give 'em a pet and put them back in the water to fight another day.  Because I fish a lot in areas where "catch and release" is popular (a really good thing), the fish I catch aren't stupid.  They know the drill.  Some just fight a little and let me do my meet-and-greet with them and get it over with.  Others fight like mad men.  And they often know just how to move or jump into the air or twist just right during the fight to get off the hook.

So what does that have to do with pentesting? To me it relates to getting the "beach head", securing a persistent backdoor, and creating a backup backdoor if at all possible.  Maintaining persistent access to the network you are pentesting is critical during a pentest engagement so you can consistently continue your post-exploitation efforts.  Then there's the fight.  I liken that to all the post-exploitation work we do in order to "land the trout".  Good defenses can and should put up a fight.  Getting to the "end game", taking a selfie with the "trout" equates to demonstrating real business impact, meaningful results that can help an organization become better at defense.  And pentesting is truly "catch and release" as we don't want to do harm to the organization.  Watch Ed Skoudis (@edskoudis) present about taking the right trout selfie that results in meaningful business results in "How to Give the Best Pentest of Your Life":

Defenses.   As I mentioned before, trout can be smart.  And it's the smart trout that don't go for the fly if it isn't perfect, and know how to keep from getting "landed" if they do happen to inhale the fly.

Organizations can be these smart trout by being very suspicious of anything out of the ordinary (and verifying it), monitoring their environments closely, watching for unusual connections and terminating them, and having strong internal defenses that include segmentation and tiered/strong authentication.  Defense in depth means that if an organization accidentally swallows a hook, they have the ability, time and energy to try to break free from it before real damage is done. become a better pentester, learn to fly fish!  :)))

The tactical river is where the thrill is.  This isn't lake fishing where you sit and wait.  It involves detailed tactics and hard fought techniques to find the real gold.  Trout live in the most beautiful places in the world.  And that's where the gold is.

For more, check out the targeted attack portion of my presentation, "The Fly Phishing Hack that Cost Millions" here:

Tuesday, March 1, 2016

Using Powershell Empire as a phishing test tool...

Performing internal phishing tests is important for both user education and security metrics.  There are a lot of vendor options out there for helping organizations with their phishing exercises, but up until now most of ours have been created using in-house tools.  One tool we are beginning to use for phishing tests is "Powershell Empire".

Powershell Empire (or "Empire" for short) has become one of my favorite pentesting tools.  Empire is a PowerShell post-exploitation tool that implements the ability to run PowerShell "agents" against target systems.  It contains awesome post-exploitation modules ranging from key loggers to Mimikatz, and is very good at evading network detection. Even after landing a Meterpreter session I find myself pivoting more often to using Empire these days for post-exploitation.

By using PowerShell, Empire has some offensive advantages including full .NET access, direct access to the Win32 API, the ability to assemble malicious binaries in memory, and a default installation on Windows 7+.

Because PowerShell is native to Windows, I don't have to worry much about AV catching my payloads (for now - some script tweaking tests against our AV may be necessary in the future, and other tools do see the activity).  That makes Empire super useful for creating payloads for both pentesting and in-house phishing exercises.  

Empire has numerous options for creating different types of agents.  Creating an Empire agent as an Office macro using Empire is straight forward.  By embedding the macro into a Word or Excel document and adding some tempting text, it becomes a good phishing exercise.  Here's an example of an Excel attachment to an email stating that Macros must be enabled:

If the victim enables the content, here's an edited version of what appears:

The macro executes the Empire agent and that agent checks in with my Empire server and provides what I need for phishing statistics (Empire also saves this info to an agent log on disk for easy parsing with the usual awesome Linux tools).  Here's a generic screenshot of an agent's info:

After collecting this information, I kill the agents and everything is back to normal on the victim workstations again.

Check out Powershell Empire at .


Always beware the out-of-the-ordinary requests...

We continue to see a lot of phishing attempts that pretend to be from the IT Department and ask you to login in order to keep from losing your account or your email.  Here’s an example of one from yesterday:

 If you clicked on the link, here’s the fake Outlook Web Access page you would see:

Of course, the site name and the page is all wrong, but if you were to fall for it, you would be surrendering your credentials.

As always, be suspicious of anything that asks you to do something out-of-the-ordinary.   Stay safe.

Friday, February 19, 2016


You arrive at work and find a USB flash drive (“memory stick”) lying in the parking lot…

What should you do?

1. In order to determine if someone in my department lost this, I’d plug it into my computer and view contents of the files on it, which might help me find its owner.
2. I’ll hand this off to my IT support person. I won’t plug it into my computer, since I don’t know where it came from and what is on it.

The Answer: #2. “Baiting” is a common method for an attacker to gain access to a computer or a network. They use physical media and rely on the curiosity or greed of the victim. When the files on the device are opened, malware is executed and attempts to take control of the victim’s computer.

What to do: Have unclaimed found media inspected by your IT support personnel. Like unexpected emails, don’t trust media found in unexpected places.

Wireless access dilemma...

You are waiting in an airport and need to connect to a wireless network.  You see the following “Free Public WiFi” wireless network available:The airport is charging $10 an hour for wireless and this one is free!
The question: Do you connect or not?

The answer: Don’t do it.  “Free Public Wi-Fi” is both a hacker’s dream and security glitch, forming a rogue connection directly to someone else’s computer rather than to a hot spot.  Originally caused by a glitch, it is often used by hackers, knowing many people have the inability to resist connecting to such a network.  If you connect through one controlled by a hacker, your activities will be watched, and your connections will be hijacked.

What to do: ALWAYS know what wireless access points you are connecting to.  Establishments providing legitimate wireless access normally provide the name of their access points.  Don’t connect unless you are sure.

Continue or stop?

You are using a wireless access point at a local Starbucks. Upon connecting to your email, you see this:

The question: Continue or stop?
“Just this one time won’t hurt anything.”
“I’ve seen this before, sometimes a certificate expires, so it’s ok.”
“I really need to look at that email!”

The answer: Don’t continue, close the webpage. If you see this, an attacker may be “proxying” your connection, capturing your passwords, seeing everything you do, and hijacking your connection.

What to do: DON’T trust a secured connection if there is a problem with the website’s security certificate.

Sensitive Information Theft, A Real Life Example..

October 29, 2012 — COLUMBIA, SOUTH CAROLINA -- The South Carolina Department of Revenue announced that a cyber attack exposed tax returns, credit cards and personal information for over 3 million people.

What happened?

Hackers obtained a user name and password for one employee…

They used it to connect to the department’s network, log onto as many computers as possible and install password capturing software.
Using this one user’s account, they ultimately got a different user’s login and password that gave them access to critical databases, and then proceeded to steal the information.
This cost the South Carolina Department of Revenue millions of dollars to resolve…

How did this happen?

A link in a malicious phishing email was clicked on by a single user. This act apparently caused the installation of the password stealing malware, which is how the hackers got the user’s password. And things just got worse from there.

· Don’t click on links in emails unless you are absolutely sure of their content
· Surf the Internet very carefully!

Physical theft of sensitive information...

One of the most common means of sensitive information theft is physical. This often happens when an employee takes sensitive information offsite on a portable computer or device without following proper precautions.

Stolen portable computers (laptops, tablets, smart phones) containing sensitive/protected information…

Stolen or lost memory sticks or portable hard drives that are unencrypted…

Even paperwork containing sensitive information that is stored in a briefcase or laptop case…

Remember that just one instance of stolen sensitive information can result in unfavorable press coverage and financial loss. California Breach Notice laws require that all those affected be personally notified and sometimes compensated in order to protect their identities.

What can we do to lower the chances of physical theft?
  • Do not store your password with your portable computer
    • You should secure your portable computer with a strong password, but never keep the password in the laptop/portable computer case or on a piece of paper or label attached to it.
  • Encrypt your laptop and any portable media containing sensitive data
    • Just one stolen laptop with sensitive information on it can result in unfavorable press coverage and require that all those affected be personally notified. Don’t store anything unencrypted on a portable device that you wouldn’t be comfortable with the general public viewing. Encrypt external hard drives, memory sticks and other storage as well.
  • Secure your portable computer when unattended
    • Attach a laptop with a security cable to something immovable or to a heavy piece of furniture when it is unattended. Devices are available that sound an alarm when there is unexpected motion or when the computer is moved outside a specified range around you.
    • Do not leave your portable computer in your car
    • Don’t leave your portable computer on the seat or even locked in the trunk. Locked cars are often the target of thieves.
    • Do not store your portable computer in checked luggage. Always carry it with you.
  • Keep track of your portable computer when you go through airport screening
    • Portable computers are frequently stolen at airport screening areas. Hold onto your device until the person in front of you has gone through the metal detector. Watch for your device to emerge from the screening equipment.
  • Keep it off the floor
    • No matter where you are in public – at a conference, a coffee shop, or a registration desk – avoid putting your laptop on the floor. If you must put it down, place it between your feet or up against your leg, so that you are aware of where it is located at all times.
  • Secure your laptop when in the office
    • Secure your laptop by locking it in a docking station, if available, using a security cable, a locked office or a locked cabinet.
  • Record identifying information and mark your equipment
    • Record the make, model and serial number of the equipment and keep it in a separate location. Consider having the outside of the case labeled with your department’s contact information and logo.
  • Backup your files
    • Make an encrypted backup of your files before every trip. In the event that your laptop is lost or stolen, you will still have a copy of your data.

Panic clicking...

There has been a number of reports of some very well done Verizon Wireless phishing attempts. Clicking on the links causes the attempted install of a new variant of the Zeus bot, a nasty data stealer.

See if you can spot the fake one:


Answer: the top one is fake. The only give away is that the fake e-mail doesn't include the partial account number, and typically indicates a large bill > $1,000 (at least large for me :). It is assumed that the large amount is supposed to cause panic clicking

Legitimate phone call or not?

You receive a phone call from someone claiming to be from Microsoft support. He informs you that your computer is sending them error messages, and it appears to be infected with a password-stealing virus.

He tells you how to look at the event logs on your computer, and informs you that the event logs with warning signs show that your computer is infected.

The support person then directs you to an official Microsoft website where he asks you to download and install a special remote access tool so that Microsoft support can fix your computer for you.

What should you do?
· Continue, as the support page appears legitimate.
· Hang up.

Answer: Hang up. This case of phone phishing and its many variants are real and ongoing organized crime activities.

It has been estimated that thousands of people have fallen for this scam.

The scam: the caller does not work for Microsoft, and the website is scarily real looking, but it is not. If you take the suggested actions, you give a stranger access to your computer.

On its website, Microsoft explicitly says it never places unsolicited calls for tech support, security updates, software validation, or the so-called “Microsoft Lottery.” More information on Microsoft-related scams can be found here:

What to do: If you truly believe that someone cold calling you may be from legitimate computer support, verify by hanging up, looking up their phone number and calling the company yourself.

Password cracking in the news...

We hear a lot these days about passwords being cracked after they are stolen from online sites.

What is stolen from those sites is usually an encrypted version of the password called a hash that looks something like this:


When the above hash is run through password cracking software, it easily yields the password:


Password hashes are also sometimes stolen when your computer becomes infected with malware.

Do you know which password, of the 2 below, is more secure against password cracking attempts?


If a bad guy stole the hashes for these two passwords and tried to brute force them, here’s how long it might take to crack them (assuming the bad guy had no hints):

Between 8 to 18 hours, faster if multiple computers were available

1.29 hundred trillion centuries

So, the correct answer is the LONG passphrase.
Fourteen characters or more is considered best.

Obviously, this example is a known song lyric, so someday it and others like it might ultimately be added as part of a cracking table. This has already happened to common phrases such as “Beam me up Scottie”. That’s why we changed one word’s spelling to add a little entropy. A better approach is to personalize your passphrase. An example: Welcome2BarbM’sHotelCalifornia

Other passphrase examples:

I really need a vacation and want to go 2 Barstow
My cat Max hates it 2 when I give him a bath

PS: These are examples only; Be sure and don’t use the exact passwords above.;)

Your friend probably didn't just get robbed in a foreign country

It happens often.  Imagine that you receive an email from a friend or colleague claiming that he or she is stranded in a foreign country and desperately needs your help to get home. The email originates from the friend's real email account and may even include the same email signature that your friend uses when emailing you. Thus, you might be inclined to believe that the email was legitimate, at least at first glance. However, the emails are a clever scheme by Internet criminals designed to trick people into sending them money.

Many different versions of these scam attempts have been seen. Names and other details differ depending on who's email account the scammers have hijacked, as do the countries where the "friend" is supposedly stranded. The amounts of money requested in the messages may also differ. But, in spite of such superficial differences, all such messages are versions of the same basic scam. Sadly, many people have become victims of this scam and lost money to these criminals.

If you get an email from a friend who needs you to send them money quickly while they are on vacation, be very suspicious. If they really are on vacation, find a different way to try to contact your friend to find out if this email really came from them.  But you can probably rest assured that your friend probably didn’t just get robbed in a foreign country. :)