Collaborate Disseminate
A few years ago, I gave a DerbyCon presentation on the Ambush open-source host intrusion prevention system I was working on, as well as evasion techniques you can use against systems like that, implemented in the hoarder project. Ambush was an interesting project in dynamic system-wide user-mode hooking which has since faded away a bit, […] Continue reading Hoarder
I recently presented Supply Chainsaw: Practical software supply chain attacks for everyone at the OPCDE technical security conference in Dubai.
To summarize: Continue reading Supply Chainsaw: Practical software supply chain attacks for everyone
In any complex system, a solution that best meets one goal will fall short in other areas. Computer programs to solve nearly any problem in the fastest manner will not be the algorithms that use the least memory. Solutions that can be written in the least amount of time will neither be the fastest nor […] Continue reading Goals
For another short detour from information security… Climate policy is again in the news. The past year has seen record high temperatures, the election of a US President who claimed global warming was a hoax invented by the Chinese (then later backed off), and the 10th anniversary of probably the most authoritative decision regarding climate […] Continue reading Climate Change Archive
tl;dr Just Enough Administration (JEA) is a new Windows 10/Server 2016 feature to create granular least privilege policies by granting specific administrative privileges to users, defined by PowerShell commandlets and scripts. Microsoft claims JEA is a security boundary so effective you do not need to worry about an attacker misusing the credentials of a JEA […] Continue reading Just Too Much Administration – Breaking JEA, PowerShell’s New Security Barrier
A few weeks ago, a lot of attention was paid to Dropbox for “hacking” macs. Dropbox asked for your admin password when it was installed, then used that root access to enable privileges later even if you try to disable them. Despite the internet’s indignation and Dropbox’s impoliteness, Dropbox wasn’t exploiting any vulnerability or breaking […] Continue reading Intercepting Passwords to Escalate Privileges on OS X
Common wisdom would have you believe when you run sudo that you are only granting root privileges to one command at one point in time. In reality, you are granting root privileges to any hacker who has ever run any code in any process at any previous time in your account and decided they wanted escalated privileges.
Use completely unprivileged accounts for day-to-day tasks, then log out and log in with a privileged, trusted account for privileged tasks; don’t use runas or sudo from your day-to-day account; it eliminates the security benefits of using the unprivileged account.
Control should always flow from a more privileged and more trusted environment to the less privileged, untrusted environment; going the other way, even when presenting credentials, only allows those credentials to be stolen and hackers to ride up to the higher privileges. This is not a new idea; it is why Microsoft’s #1 recommendation to secure privileged accounts from credential theft is to make it so you cannot log into a privileged account from an ordinary, untrusted workstation. But this principle frequently seems to be forgotten. Continue reading The Security Pretend Game – Sudo and Runas
If you’re writing tools for red teaming or pentesting, the main point of your backdoors, or implants as people are starting to call them, is to enable remote control of a system without being detected. If that fails, and your backdoor is found, the next best option is to avoid analysis so any of your […] Continue reading Defying Analysis With Sparse Malware
Cloud services can save a lot of time and money, but security is a frequent concern. You use the providers as a data store right now, but it is not simple to do so in a way that is available and flexible for live applications, keeps information confidential from the cloud provider and prevents the cloud provider from silently corrupting data to break your security model. The good news is that by layering existing technologies on top of each other, we can achieve those goals.
The basic idea is to use the untrusted system as a remote block storage device, then layer an encrypted mapped block device on top of that using LUKS to keep the cloud provider from seeing the data contents, then layer a filesystem that performs both metadata and data checksumming on top of that. Continue reading Using a Fully Untrusted Cloud
Although I have done a lot of software development on different projects, I am not great at making nice looking UI’s. Someone recently told me it would be easy to set up a simple but nice looking webapp starting with a quick Yeoman Angular tutorial. What follows is my actual experience. Step 1: Get development […] Continue reading Yeoman Angular Bootstrap