You are browsing the archive for Preaching.

Why PUA/PUP are bad for you a.k.a. the evil of environment fingerprinting

November 9, 2015 in Compromise Detection, Incident Response, Preaching

In my post about sample targeting EDR I mentioned that the sample is a PUA/PUP. Looking at the code of many PUA/PUP/adware samples created in last few years it’s easy to see how far they go nowadays in fingerprinting the environments.

This is why many of them should be treated as malware & should not be ignored in ‘business as usual’ IR activities.

In the aforementioned post I listed a couple of routine names that that particular sample used. All these routines are called one by one, and a final string is generated containing reference numbers associated with each ‘discovered’ piece in the environment.

fingerprintingThis is no longer just a sandbox detection.

EDR, VPN, AV, security tools, often list of updates, hotfixes, full software list from registry, etc. is added too. Someone, somewhere populates some large databases with a lot of this ‘goodness’.

One can imagine that this data may be a very valuable piece of information – it could be sold not only to advertisers, software writers, even companies whose products are being profiled (competition/market research), but also – of course – on a darker side – to random malware authors, and guys specializing in targeted attacks. If you think of it, a good PUP/PUA campaign could be even orchestrated by the actual BAD guys.

If 0days allow a way in, a database with an information about used software may simplify and speed up a lateral movement. And why bother doing all the time-consuming illegal hacking/malware infestation/recon if you can simply deploy borderline software first. Let it populate a huge matrix including lots of information about as many hosts as possible in as many organizations as possible. And then, with such precise information about installed software & deployed countermeasures it can be leveraged to simplify many hacking operations (and targeting).

This is of course scaremongering on my side and a conspiracy theory in the making, but the only reason I am writing this is that if you are ever looking for arguments to treat PUA/PUP as malware… or someone argues that PUA/PUP can be ignored in your AV alerts then the massive fingerprinting they do nowadays is the big one…

Interviews – some random thoughts

October 17, 2015 in Preaching

Interviewing is a sort of hobby of mine. It started many years ago when I was trying to get a job in a different country and despite many efforts to secure such a position I was always ending up with a disappointment and… had to go through all the stages of grief.

Many times.

I eventually secured that dream job abroad, and the rest is – as they say – history. Thanks to many interviews, some of which I passed I can now claim I worked in a couple of companies, and even gambled a bit & opened my own. It just takes time and patience. If things do not work now give yourself a few years and you will eventually see the fruits. And on a personal level – these interviews enabled me to do what I always wanted – I really love living in different countries, exploring different places and despite logistical difficulties associated with each move it gives me an immerse kick to be able to be reborn over and over again. In last 15 years I had 14 addresses in 4 different countries. I always feel blessed that I was able to achieve it, and even more blessed because my wife and I share the same passion of a nomadic life. As I write this post we are thinking of moving again… Yay! And hopefully there will be more moves in the future – last year I met a very old guy in Tasmania – he was over 80. He traveled with a group, but was on his own. He chatted me up and that’s how I learnt that he worked in at least 10 countries. What an interesting life to live!

Over the years I spoke to many agents, recruiters in quite a few countries and was also interviewed by many really clever people. Of course, sometimes I was also interviewed by some who didn’t even have a clue about the subject, despite being in a managing or a VP/Executive function. Yes, this is the reality of job hunting. Knowledge is not necessarily the most important thing. Speaking to many people opened my eyes to many things I was not aware of and there is a value in learning how “it” works.

I must add that apart from being interviewed, I also interviewed quite a few people myself; I also hired quite a few guys as well – with this post I am attempting to summarize a few things that I learnt from all these experiences. This is such a loaded topic that I – in advance – apologize for a bit chaotic nature of this post.

Before I begin I must emphasize that interviewing is always a tricky business and giving any advice or commentary on this particular subject and hiring in general is even trickier – being bold and arrogant about what is right and wrong will surely ricochet one day and I bet I will one day regret writing this post šŸ˜‰

So, I am not right. I may be wrong, but I hope I am not. You be the judge.


For starters, let’s talk about the interview questions.

I personally divide interviewing questions into 2 simple buckets:

  • treating the candidate like you would like to be treated – you ask questions relevant to the job & skillset required for the position grade (f.ex. junior vs. senior)
  • the opposite – and here I include all the questions about moving Fuji mountain, etc. – these may be cool if you are applying to Mensa, but if your job is to be on the IT force the questions you should be asked by the interviewers should be really relevant to your future job; any ‘lateral’ questions aiming at testing ‘imaginative thinking’ are a proof that the employer is not really thinking of you as a professional, but a clown; and a full disclosure here: I did on occasion ask candidates such questions in the past and I sincerely apologize candidates who ever spoke to me and had to suffer… it will never happen again; there are industries where such ‘creativity’ is to be desired, but it’s not a day-to-day in the IT & IT Sec; the only exceptions I can think of are _real_world_ algorithmic problems, or asking the candidate to implement a function (which is often required of developers and proves they can actually code – but mind you, this is not even lateral question, but a simple, work-related question)

If you think of it, the ‘what interview questions to ask’ problem is actually easy. The easiest is to ask relevant questions with a focus on testing the knowledge of the candidate they claim they have (based on the resume) first.

To give you an example…

The (now, sort of) classic question I once asked a candidate (it was so surprising to him that he remembers it to this day!) was me asking him what is a shortcut key in IDA Pro which we use to name a function. On his resume the candidate claimed he knows IDA Pro so this was an obvious question for me to ask. To my surprise, he struggled with this question a lot and I instantly knew that his contact with IDA was more platonic and a wishful thinking than the actual experience. He was an excellent candidate though and was hired – this is because he killed so many other questions and knew more stuff than I did in many other areas of security. Btw. he is one of the leading forces behind a world-known hacking team now.

Yup. One of the most intelligent guys I personally have a pleasure knowing.

That IDA question became a funny anecdote between two of us, but the reason I mention this particular question is because the sole nature of that question was its simplicity – and it is such simplicity that imho represents the core of a good question that you can ask during an interview. It is short, to the point and tests candidate’s claimed knowledge on the spot. And let’s not forget – even if not answered, and exposes certain lack of knowledge, it doesn’t intend to ‘kill’ the candidates’ chances. Because you don’t want to ‘kill’ the candidate. You test both the actual knowledge, but also the candidate’s survival skills. Being able to describe how they would go about finding the answer to the question is also a good answer. Many of IT tasks nowadays is googling & applying the newly acquired knowledge.

Another thing to mention. Many popular questions focus on a memorized knowledge – what is the port used by HTTP, DNS, FTP, etc.. They may be good closed questions and are definitely relevant, I still ask them myself, but imho it’s much more important to find out if the candidate is actually interested in the subject.

I have interviewed many people who claimed they knew malware analysis and were deeply interested in it. The lies I heard from them were funny, because often they had no clue what they were talking about, but also very revealing – you can immediately tell whether the person has a natural tendency to be a curious explorer, or is a robot who you will be needing to micromanage forever, because they have no internal drive. This may sound controversial, but I think some lying during the interview is permitted and should be even encouraged. If a person can smoke me using bits and pieces of knowledge + maybe using some natural charm – they have a potential – and it sells that person much better than a guy who doesn’t know anything yet is still making up stories instead of saying “I don’t know”. In terms of malware analysis specifically – if you can’t cheat a bit – you simply can’t deliver. Cutting corners is really necessary there.

The “I don’t know” is very important. Say it, if you don’t know. And if you have ideas, add “but I could find an answer easily <here> and <there>”.

Another area that many ‘interview advices’ miss is the questions from the candidates to the potential employer. If you are interviewed, you do need to show at least a minimal interest about the employer. You don’t need to talk about stock prices. Ask about offices, team size, history, whether the role is a new or a replacement, about certification and traveling opportunities, and even about the interviewer’s experience with the company. That’s like 15 minutes worth topics to talk about. In Australia/APAC ask about night calls (remember that any Oz/APAC timezone works against you and you often need to take calls at night to talk to guys in EMEA and NA). As anti-social as I am, I find it fascinating to often meet people on the other side of the phone that are no less anti-social than me. Break the stiff routine and have a good laugh about the nuisances of a corporate life. Again, the foundationĀ  here is a genuine interest and camaraderie. If you just randomly fish for opportunities and have no interest it will emerge very quickly. And you never know… if you are serious and can sell it you may get lucky & may find a new mentor that will lead to you to completely new level of professionalism…

The last topic I want to cover is exploring the opportunities.

After visiting Australia last year I honestly fell in love with the country. I definitely want to live there at some stage in my life. So every once in a while I apply for jobs there – partially to test the waters, partially hoping for a good luck. I get some replies and sometimes I do interviews, but what follows is not about the good ol’ hiring process. It is about more modern faces of hiring – many of which I was actually not aware of. One such aspect I encountered while dealing with Oz opportunities I found particularly interesting and is a novelty to me – it is about a modern way of screening the applicants.

It works this way: you apply, someone at the other side of the system potentially screens your resume manually (this, I am not sure, but I assume someone needs to click something and some sort of review is /hopefully/ to be expected), and you receive an invitation to a webcam interview.

Yes, you are asked to talk to the computer. It will record you and someone will later review your video. If you get enough facebook-like likes, maybe actual people will talk to you.

The first thing that came to my mind when I saw a notification about such interview was the ‘Up in the Air’ movie with George Clooney, and the character played by Anna Kendrick. In the movie she tries to lay people off doing so remotely while she is missing the fact how redundancy affects people in real life. I personally am very pragmatic about contracts – two parties come together and part their ways, but luckily we are not robots and that personal touch is definitely a nice thing to have – no matter it is a process of hiring or laying off.

The other thing that stroke me was the fact I applied for a relatively senior position & after learning to be shortlisted for the interview I was happy. The fact I need to be shortlisted again is not such a big surprise, this is a natural interview process, but it still feels strange being shortlisted in the second level with not a single word exchanged with a potential future employer. Also, the invite for the webcam interview was sent with a title ‘Cyber Security Positions’ suggesting everyone was just approached in bulk, and there doesn’t seem to be much of a shortlisting done really yet…

So, the obvious question I had was… are they really really interested in ME? Or just batch-processing the candidates?

I don’t know.

But… they want to hire, because there is an identified need in the company to fill-in that role, right?

They should be pretty specific… & interested…

I am asked by them to go online, and do a performing act on a web camera. You can also use an app (you need to install it on the smartphone). And this, in the environment where I have a zero knowledge about what criteria the company is actually looking at, and no context of what was there in my resume that might have interested the company to actually talk to me.

I believe the interview is a peer-to-peer process. The impersonal webcam thingie converts it to an unbalanced deal. I must mention I have not taken the interview, but I assume the whole process is done in just one take and is controlled by the application loaded in a browser/phone. And if the movie industry and TV teaches us anything – editing is everything. Even actors applying for roles can have many takes. This just doesn’t seem to be fair…

From a personal standpoint (and to a certain extent, security as well) – what if my terrible webcam video ever leaks and people will have a good laugh at my cost? I’d rather impersonate Kylie Minogue and sing the Locomotion than record a video of myself staring at the camera, mumbling, perhaps shuttering, attempting to glorify my projected strengths and how much I love my future employer of whom I honestly don’t know much about yet, other than the fact they don’t even want to talk to me despite apparently trying to evaluate me and potentially hire me.Ā  Doing so with the other person on the other side of the phone line feels just so much more natural. Perhaps it’s because you have a constant feedback & having a conversation on a professional level is often more a fun process than a dry, bureaucratic multiple-choice test (let alone webcam recording).

And yes, I want to talk to people who I may end up working with.

So, in the end – the dissociation is simply mind blowing to me…

My response: you have failed the interview Mr Potential Employer.

I think the interaction is a key in a hiring process. Sometimes 2 minutes on the phone can tell you everything you need to know about the candidate. Sometimes, a single webcam interview invite via email can tell you everything you need to know about the potential employer…

The final conclusion of this long bit is that we are all human and a mutual respect is the key to a successful interview – on both sides of the fence.

Good luck with your job hunting!