Thoughts, Musings, and Other Items from the Worlds of Infosec, ICS, and Beyond

Security Externalities and the Undefended Victim

Throughout the roiling (and often tiring) discussion over the release and disclosure of “offensive security tools” (OST – previously addressed here), one disadvantage is constantly referenced to show the harm of publicly-available hacking tools and techniques. Put most simply, individuals cite how many organizations either have little or no security expertise, tooling, or personnel. Therefore, arguments that publicly available tools and techniques can improve security are irrelevant for nearly all small and many medium-sized organizations Read more…

By Joe, ago

The False Choice of Penetration Testing Tools

As of this writing (late December 2019), an argument has continued through multiple social media formats on the value (or harm) created by “offensive security tools” (OSTs). As with most discussions taking place online, the discourse – rooted in an originating, absolutist blog post – has rapidly devolved into rival camps that equate essentially into “yay” or “boo” choruses with respect to security testing tools and software. While such crowing from the rooftops afforded by Read more…

By Joe, ago

Force Multiplication through Standardization and Communication

I recently watched a documentary about the Supermarine Spitfire – Spitfire: The Plane that Saved the World – one of the iconic airframes not only of the Second World War, but of military aviation from its start to the present. In addition to the documentary’s interviews with surviving Spitfire pilots and use of archival footage, the film also noted two critical items enabling the Spitfire’s success: the Rolls Royce Merlin engine and the Royal Air Read more…

By Joe, ago

BGP, Midpoint Collection, and the Encryption Debate

Note: This post will refer and link to allegedly classified programs leaked by Edward Snowden, and potentially others, in the past several years. If accessing this article from certain networks, readers are strongly advised to preview links before following them due to the possibility that such an action may be considered a spillage of classified information. As always, Think When you Click.© I recently noted an aspect of Internet (in)security that has bothered me for Read more…

By Joe, ago

What does ‘Attack’ Mean?

One issue that came from my recent CYBERWARCON talk was an item of focus (or for others, limitation) when approaching the idea of what a “critical infrastructure attack” actually means. While I faced some (really good, topical) questions on my definition of “critical infrastructure”, a more public debate ensued over the conception of a cyber “attack”. Within the context of this talk, I used the same definition of “attack” I’ve used in several recent presentations Read more…

By Joe, ago

OPCW, WikiLeaks, and Russian Influence Operations

On 24 November 2019, WikiLeaks posted an email, purportedly from a whistleblower on the Organisation for the Prohibition of Chemical Weapons (OPCW) team assigned to investigate the chemical weapons attack on the Syrian city of Douma. I will let readers find the original WikiLeaks post, but the story was promptly taken up by Icelandic news site Stundin, Italian newspaper la Repubblica, (allegedly) German magazine Der Spiegel (unable to actually find the published story), and UK Read more…

By Joe, ago

Who ‘Owns’ an Incident?

Note: This blog post was significantly revised on 17 November 2019 after initial release on 12 November 2019. The primary alteration is within the second paragraph, noting that the initial event that inspired this blog post – an exchange between a security researcher/responder and a journalist – was much more nuanced than it originally seemed. To the extent that such items can be stated publicly, they have been addressed below. A foundational aspect of my Read more…

By Joe, ago

Sensors and Sensibility

The most frustrating type of bad argument to refute are those which feature or rest upon a kernel of truth. In the worst, most-annoying scenario, one must deal with a counterparty that simply reasserts their position without hesitation resembling the chess-playing pigeon of Internet fame. More worrying still is that circumstance where the counterparty – for reasons of bias, conflict of interest, or incentive – responds in bad faith, identifying and amplifying those correct components Read more…

By Joe, ago

The Conflicting Duties of IT Vendors in an Age of Cyber Conflict

On 02 November 2019, Brian Batholomew (at the time of this writing, at Kapsersky Lab) posted a very interesting Twitter poll. To summarize (or in case the poll is removed), the question can be simplified as the following: if someone bought leaked data from the Shadow Brokers, would you still do business with them? For any company either based, domiciled, or doing significant business in the United States (given the nature of the Shadow Brokers Read more…

By Joe, ago

The Question of the Benign Indicator

I recently had a discussion as to whether PSExec, the legitimate Microsoft Sysinternals tool often abused by malicious actors for remote code execution, should be included on a list of indicators related to a recent intrusion event. While my overall opinion of indicators of compromise (IOCs) as they are used (as opposed to their underlying idea) is that they are useful, but far less so than most think, the question is significant as nearly all Read more…

By Joe, ago