GoDaddy SEO Cloaking: Under The Condition of Donkey Porn

I can’t make this stuff up. I am leaving all of this cyber jabawaki behind me to pursue a career in Candadian pharma and internet pornography. Nahhh… but that does make for a great topic of discussion! Like this one. If you actually follow my blog (all three of you) you may have read a post that I wrote just a few days ago, PenTester Pro Tip: Validating The TOE, which what resulted in this masterpiece. Background Yet again, on a pentesting engagement I came across a questionable domain that was clearly unrelated to my target’s industry, so I took the time to inspect it a little further. Long story short, the domain did not belong to my client, because they in fact provided an invalid IP address range. No harm no foul. However, when I ran a simple Google search on the domain name it returned some gnarly results. Interesting… right? Maybe not to the uninitiated. I’ve seen this kind of thing before (– and No… I do not go searching the internet for donkey porn… except in this instance). It appeared to me that what was going on here was a case of SEO cloaking. It is fairly…

continue reading

Your Monthly Security Report Is Worthless

I am doing my best to keep up my blogging momentum. It’s been easier for me to share experiences than to tutorialize tactics, so I present to you this tidbit… This post is directed at anyone who works in security and is responsible for communicating security information to business leadership, board members, and / or anyone (for that matter) who gives a damn. It is quite common that I meet with a client and they want to communicate the health (if you will) of their security program. Typically, by handing me a report that they regularly draft and distribute or present to upper management or other members of the board (if I am working directly with an officer). Some reports are very pretty. They have charts, graphs, and a nice layout. Others… well… let’s not focus on what they look like… yet. Let’s talk about what they tell us. In most cases… NOTHING. But I made it visual! It is easy to follow! Yeah… with what? your vast array of Crayolas? In many cases, I come across reports that are laden with screenshots from any number of security tool dashboards, provide executive summaries that highlight a bunch of fluff, and…

continue reading

PenTester Pro Tip: Validating The TOE

If you’ve ever worked as a professional penetration tester then you definitely know what a TOE is. For those of you who do not, the TOE or “Target Of Evaluation” is “the product or system that is the subject of evaluation” (Wikipedia). For the sake of simplicity, a system connected to the internet with an IP address is the TOE for an external penetration test. Your client has provided a list of IP addresses, maybe in CIDR notation, maybe they’ve just dropped you a spreadsheet with a list of targets that fall within the scope of testing, at the end of the day, they’ve provided to you with a list of assets that are in play. Side note: I won’t stress the importance of performing thorough reconnaissance and the value it will provide to both you (during the assessment) and to your client. There are plenty of books and training courses that have done a fine job conveying that message. However, I do want to provide you with the following scenarios and why it is important to validate and verify your targets: Scenario 1: Client Provides Wrong IP Addresses (Bitter CIDR) You’ve laid out your pentest, you’ve got a list…

continue reading

Security Folks Need An Accountabilibuddy

Don’t mind my nomenclature, I am not trying to be a buzz-wordy trend setter. I am just an avid South Park fan and I couldn’t find a more appropriate name than “accountabilibuddy” . Urban Dictionary defines accountabilibuddy as, “The name for a buddy you love so much, that you hold yourself accountable for his well-being.”   That may be overreaching a bit, but here is the harsh reality… As a consultant, I have the opportunity to work in many different environments, work with a variety of tools and technology, and I have the pleasure of meeting many interesting people. More often than not, that is not the case for the security or IT professionals working at a small to medium-sized business and sometimes even in an enterprise. More often than not, security folks find themselves in a silo. A silo that may be built by none other than themselves or because of a workplace culture that still separates IT and security from the rest of the business. The job place can sometimes be a lonely one. This scenario is debilitating for those of us that are looking to grow. Whether it be for personal reasons, because you just want to…

continue reading

In all honesty…

I have been terrible about keeping this updated.  More than a year? Seriously? Folks… I have had a good amount of requests regarding video content.  The truth is, I struggle to find time in addition to my work / life.  So, I am going to do my best to at least post some new content here.  Let’s see what I can conjure up…

continue reading

The NSA’s Tailored Access Operations Hurt Americans… and It Has Nothing To Do With Privacy

¡Rant Warning! Let’s get this out of the way. First, I am not a privacy advocate. I’d like to believe in such a thing, but the reality (and we all know it) is that privacy is dead. My background is in security, which is really the underlying topic here when we talk about the NSA and their Tailored Access Operations, or “TAO”. I’d also like to state for the record that I am usually very reserved when it comes to voicing my opinion about the government, because in all honesty… I’ve never worked for the NSA or any other three-letter agency. Call me naïve… but I’d like to believe that the motive behind these operations is truly in the best interest of my country even though I disagree with the tactics. Like many of you, last night I watched President Obama deliver the State of the Union. This year (and we were all prepared for it) he mentioned (and I use “mentioned” explicitly) that he is working on cyber policy in lieu of the ever-growing number of cyber attacks that are affecting American businesses and that are putting Americans at risk. He also mentioned that he has worked with privacy…

continue reading

Sony Hack – FireEye Claims They Are Not At Fault… Sounds Phishy ;)

If you haven’t heard about the Sony hack (#SonyHack) you are most likely living under a rock.  Every news outlet under the sun has been reporting on the breach for just over a week now.  The data that has been leaked so far has experts estimating the damage has already exceeded $100 million dollars and in the midst of all of this, hacked e-mails between big shot producers and Sony Pictures execs have Hollywood tearing each other limb from limb.  In response to the attack, Sony has been working with the FBI and they have recruited premier incident response service Mandiant (Purchased by FireEye in January of this year). ArsTechnica recently published an article regarding Kevin Mandia’s (Head of Mandiant and founder) letter that basically states that Sony is blameless for the attack, that the attackers used “non-standard strategies”, and that the attack was unprecedented.  Coming from such a well-respected authority, it appears to be an attempt to eliminate or limit Sony’s liability on the matter, but statements like these don’t come without backlash… especially from the security community. Maybe this letter wasn’t to limit Sony’s liability, but instead, it was intended to protect the reputation of FireEye? Doesn’t Sound Right “Non-standard…

continue reading

Advanced Threat Protection Evasion for Penetration Testers: Part 2

In my last post, “Scratching the Surface of Advanced Threat Protection”, I covered what ATP actually is and how it works. In this post, I am going to provide you with a basic methodology that will assist in evading Advanced Threat Prevention in the event you happen to encounter it during a penetration test. The second part of this methodology will also prove useful for testing these products on their own, prior to network implementation, which will actually be the third part of my ATP series (Testing Advanced Threat Protection Products). A Method To The Madness A good penetration tester knows the importance of performing thorough reconnaissance. The more information you gather about your target of evaluation, the better your chances are of having a successful penetration test. When we learn that Advanced Threat Prevention may be a game changer, there are some additional steps to take to increase your odds. It all boils down to your OSINT skills. Defeating ATP isn’t necessarily any more technical than antivirus evasion. It just requires you to do a little more R&D.  A good friend once told me, “if you fail to plan, you plan to fail” –  Since then I’ve adopted this saying as my…

continue reading

Scratching The Surface of Advanced Threat “Protection”: Part 1

WTF is it? Ahhh… just throw it in the sandbox It has been quite a while since I’ve last posted, but I am going to try and make a go of it and be a little more active on here. The aim of this post is to provide you with an overview of Advanced Threat Protection / Prevention, which seem to be all the rage these days in the security product market. Over the past several months, I’ve had the pleasure of encountering these products on several engagements and even had the opportunity to work with some awesome security engineers who have and were in the process of testing / implementing this technology. This post will serve as an introduction to Advanced Threat Prevention and will be the basis for subsequent posts that will cover: ATP Evasion For Penetration Testers (Part 2), Testing ATP Products (Part 3), ATP Network Implementation and Placement (Part 4). It was quite difficult to come up with a title for this post, because each vendor has their own nomenclature for (essentially) the same technology, but generally “Advanced Threat Protection” or ATP seems to be accepted across the board. However, “Prevention” is more appropriate being that ATP…

continue reading

2014 Rolls In Packing An Infosec Punch

This is just a brief post.  The holiday week has proven to been a bit hectic with time constraints and the surprising work load , but (as promised) I will be posting a new video within the next few days. On a side note… we are literally 3 days into 2014 and this is WTF is going on: The most notable security firm for their digital forensics and incident response, Mandiant, has been purchased for over a billion dollars by industry leader, FireEye.  A billion dollar acquisition?  Yeah… that’s right.  FireEye’s chairman, David DeWalt claims that he wants to create the strongest security company in the world.  Acquiring the notable talent of Mandiant into one of the industry’s most respected security providers; FireEye may have done just that. (Ref: http://www.reuters.com/article/2014/01/02/us-mandiant-fireeye-idUSBREA010W220140102) Photo messaging app SnapChat was hacked leaving over 4.6 million user accounts compromised by revealing the phone number attributed to a username.  Apparently the bug was reported months ago by security research group, GibsonSec.  The vulnerability was reported to be fixed by SnapChat in response to GibsonSec’s findings, but we all know how that turned out.  (Ref: http://www.huffingtonpost.com/2014/01/01/snapchat-leak_n_4528573.html) Finally… Everyone’s favorite Syrian hacking group, the SEA (Syrian Electronic Army) had their way…

continue reading
12