You are browsing the archive for Preaching.

Beyond Fear

December 22, 2020 in Preaching

In his book Beyond Fear: Thinking Sensibly About Security in an Uncertain World, Bruce Schneier tells us that:

a) 9/11 was a evilish, but brilliant plan,
b) risk assessment is hard, but most importantly,
c) У страха глаза велики (Fear Has Big Eyes).

SolarWinds hack is a evil genius, and even if the fallout is going to last for months we do need to pause to contemplate the technical capability involved. If you follow me on Twitter or read my stuff here, you know that I absolutely detest the word capability. It is a buzzword of people who don’t understand technology, and anti-buzzword for people like me – who are civilians, never served and can’t think in strategic, military terms, but are at least bad programmers.

The capability is not coding per se, of course. It is not even staying under radar of security solutions for a few months, or even for more than a year. The real capability is making the backdoor code seamlessly integrated with a code base so that it can be compiled with no errors, and/or compiling your own version of the binary and swapping it at a right time so that it can be signed by the building environment.

The finesse of this maneuver cannot be understated / overlooked.

Now… malicious modification of a source code is actually not that uncommon and not that hard to pull off. Every web site defacement of the past included changing some source files (HTML /ok, not code, but always/, PHP, ASP, etc.). Many e-commerce hacks, especially within PCI space include some sort of modification of the web site’s source code (e.g. add event handler to form submission events to steal credit card details, etc.). Zeus and other infostealers’ injects were genius too.


Somehow, code modification of the standalone, non-web site component, that is, a source code that is compiled into a binary executable is much harder. You know that if you ever tried to compile a source code taken from github or Code Project. So many things can go wrong. I have yet to encounter a source code that compiles on my box w/o any error from a compiler. To make FaaS work it took me good 3 days of troubleshooting.

This brings me back to capability. The surgical operation that (according to what is known) relies on a code injection into a pretty large software source code live branch – source code that changes constantly and is very dynamic in nature, is the skill and tradecraft one has to respect. Is it on the same level as Stuxnet? Definitely not, but it is way above your average red team pay grade.

People coding botnets, rogue anti-spyware, bank infostealers are good malware programmers. People developing 0days and injecting source code into live code branches are very good malware programmers. There is just a few in the world that can really offer this capability. It’s sad, because they will never be able to travel, live in other places, and enjoy any sort of freedom we average people enjoy.

Kowtow and RIP – you will be pwned one day.

Where all the Cyber Tooth Fairies go?

November 13, 2020 in Preaching

One of my favorite TV Series is Dexter. Early seasons were so-so, focused on a cheap thrill, lame TV that you can see all over the place. As the series progress though we observe a shift in the narrative and we witness a true character of the main protagonist developing in front of our eyes. Dexter’s inner thoughts are full of curiosity, inquisitive reflections on life and it’s hard not to relate. We all try to fit in and be a part of it, whatever that ‘IT’ is.

So far I watched the series twice and I know I will come back to it.

One of my fav parts of the series is the history of the Tooth Fairy Killer. Walter Kenny is in his 70s when he is introduced to the audience, and due to his serial killing activities he becomes one of Dexter’s targets. Tooth Fairy Killer’s character is very interesting, because… he is way past his prime, he never got caught and … he is a somehow lonely, old, yet still arrogant individual.

When we swap ‘killer’ with ‘cyber’ we bring this post back to our infosec world.

What happens or will happen to us, aging ‘serial cybers’?

I don’t know. We don’t hear much from cyber people who already retired and are either enjoying their Autumn years, or became wealthy quickly enough that working is no longer necessary and they can focus on hobbies, angel investment, whatever. Then there are these not so happily-ever after retired – these who we end up hearing about on the news or through a grapevine. And it is not surprising to find out that many of these we hear of commit suicide, end up imprisoned, or live bigger life than themselves.

How many of us will end up there?

Putting difficult, and somehow inevitable mental health and medical issues associated with aging aside, what is that we want to do at the age of 70? Will we still work thinking we are saving the world from the cyber crime? What if futuristic laws and protocols make the cybercrime almost obsolete? And if not, will we still care? Will we still hold true and honest the ideals from our 20s? Or, worse, will we become victims of some sophisticated future social engineering tricks that will target us – the elderly? Again, I don’t know the answer. I am not that old yet, yet the questions like this start popping up in my head as I am getting older.

Our industry expanded so quickly that it’s impossible to keep up. It’s now mandatory to specialize. The good ol’ corporate entered the game and we are being institutionalized like any other company department. Is the anniversary watch we get as we retire the only prize for all these efforts, all-nighters and opinions we so eagerly shared with others over these early cyber years?

Maybe it is a price of being in the industry that very quickly goes through stages of maturity. From random, opportunistic to systematic, managed. Very rapidly. There is a final stage of cyber process already emerging today. I expect that in the next few years most of the ‘really’ technical jobs in cyber will move and gravitate around specialized vendors – these providing classification, automation, orchestration or whatever you call it, and providing value derives from frameworks like Mitre Att&ck.

Forget manually crafted super-timelines, inspections of systems, bit-to-bit imaging, and file format analysis. Forget manual malware analysis. Not only OS/Cloud telemetry and forensic/sandboxing capabilities will be provided out of the box, but they will be easy to use, already built-in and the DFIR/RCE hacking as we know will be over. Plus, more and more zerotrust-ish, docker-ish stuff, logs that can be actually used, and finally more and more reliable MFA.

So, where do we land? Working for vendors is an easy answer. Client-side IT Security efforts coordinators aka security vendor managers is another. Security advisors? Security consultants? Table Top exercise coordinators? Teachers at uni?

Or.. perhaps cyber is here to stay for another 100 years ? And maybe, hopefully… Cyber Tooth Fairies is only the problem of the bad guys? Because… there is always something ‘for the benefit of good’ to do?