• tl;dr sec
  • Posts
  • [tl;dr sec] #18 - \"GitHubification\" of Infosec, Ring Privacy, Ransomware Economics

[tl;dr sec] #18 - \"GitHubification\" of Infosec, Ring Privacy, Ransomware Economics

Blue teams can become highly leveraged by sharing knowledge effectively, Ring's partnerships with the police, viewing ransomware through an economic lens.

Author

Clint Gibler
December 18, 2019

Hey there,

This week I’m working remotely from the Midwest, visiting my family for the holidays. There’s this weird fluffy white stuff on the ground- still trying to figure out what it is 🤔

But really, I remember when I first moved to California, and saw people wearing their warmest winter coats when it was 55 degrees out; meanwhile, I was wearing a sweatshirt and thinking how nice the weather was. I felt like I had super powers! Now I’m the same, sigh.

Moved to tldrsec.com

You may have noticed that our blog has moved from programanalys.is to tldrsec.com. It turns out that’s easier to tell people than, “So it’s ‘program analysis’ but the .is is the domain. Wait, no, the period is there. Oh, you’ve almost got it but…”

🎄 Break for the Holidays

As next week is Christmas and the following is New Years, I probably won’t be sending out another tl;dr sec for 1-2 weeks. Happy holidays! I hope you have some time to relax with your loved ones and eat some good food.

📜 In this newsletter...

🔗 Links:

  • Privacy: Ring's partnerships with the police, livestreamed podcast of hacked Rings, Signal groups, Telegram surveillance bot

  • Talks: BlackHat USA 2019 talks posted, Malware Unicorn's BlackHat EU keynote, extending Ghidra, deobfuscating an Android botnet

  • Githubification of InfoSec: Blue teams can become highly leveraged by sharing knowledge via things like the MITRE ATT&CK™ framework, detection definitions in Sigma rules, and repeatable analyses written in Jupyter notebooks

  • Misc: security.txt progresses, legal docs for physical pen tests, example CISO application slide deck

  • Ransomware: Towards an Economic Equilibrium: on the economics of ransomware and its similarities to kidnapping

  • Tools: Facebook's Python static analysis tool finds its first CVE, an IPython notebook to explore ZAP's API and scripting functions, omnibot - a Slack proxy and bot framework

Privacy

Although there’s no credible evidence that Ring actually deters or reduces crime, claiming that its products achieve these things is essential to its marketing model. These claims have helped Ring cultivate a surveillance network around the country with the help of dozens of taxpayer-funded camera discount programs and more than 600 police partnerships.

When police partner with Ring, they are required to promote its products, and to allow Ring to approve everything they say about the company. In exchange, they get access to Ring’s Law Enforcement Neighborhood Portal, an interactive map that allows police to request camera footage directly from residents without obtaining a warrant.

Ring, has, among other things, helped organize police package theft sting operations, coached police on how to obtain footage without a warrant, and promised people free cameras in exchange for testifying against their neighbors.

The article hypothesizes that Amazon may have bought Ring to help reduce package theft (which cuts into margins) and because of its existing relationships with law enforcement.

The documents reveal that an explicit goal of these operations was to catch someone stealing a package on a Ring doorbell camera and arrest them. Another goal was to get as much media coverage as possible. Amazon, Ring, and the police spent days discussing local news coverage and meticulously rewrote press releases.

Inside the Podcast that Hacks Ring Camera Owners Live on Air
“The NulledCast is a podcast livestreamed to Discord. It’s a show in which hackers take over people’s Ring and Nest smarthome cameras and use their speakers to talk to and harass their unsuspecting owners.” It’s not really hacking, it’s just using software that can use previously compromised email addresses and passwords to break into Ring cameras at scale.

Technology Preview: Signal Private Group System
An interesting discussion of the technical challenges in implementing groups in Signal in a way that maintains various strong privacy guarantees.

Informer: A Telegram Mass Surveillance Bot in Python
A bot library that allows you to masquerade as multiple real users on Telegram and spy on 500+ Telegram channels per account. Details are logged to a MySQL database, a private Google Sheet and your own private channel for analysis.

Inside Scoop
One cool thing about working at NCC Group is being able to work with colleagues who are world-class in specific areas, like cryptography. When I asked them which secure messaging app best respects my privacy / has the most desirable cryptographic properties, they’ve generally given me the unanimous answer: Signal.

Talks

The BlackHat USA 2019 videos have been posted.

Blue to Red: Traversing the Spectrum
BlackHat EU 2019 keynote by Malware Unicorn. She describes how security fundamentals have been critical to her career success, from being a forensic technician in government, to a malware researcher in the private sector, and currently as an offensive engineer on the red team at Facebook.

Extending Ghidra
A talk from an 8+ year Ghidra developer on extending Ghidra with scripts and plugins.

The Path to the Payload: Android Edition
REcon talk by Maddie Stone on the obfuscation used by the Android botnet, Nicro. (slides)

By John Lambert, Distinguished Engineer, Microsoft Threat Intelligence Center.

“A community-based approach in infosec can speed learning for defenders. Attack knowledge curated in the MITRE ATT&CK™ framework, detection definitions expressed in Sigma rules, and repeatable analysis written in Jupyter notebooks form a stackable set of practices. They connect knowledge to analytics to analysis.

If organizations were to contribute and share their unique expertise using these frameworks, and organizations were in this way to build on the expertise of others, defenders in every organization would benefit from the best defense in any organization.”

The MITRE ATT&CK™ framework gives us a curated taxonomy of attack tactics and techniques used in the wild.

“Various threat actors are described by the ATT&CK techniques they use. Defenders can then evaluate their defensive controls against the subset of techniques used by the specific threat actors they face.”

Sigma (source code) provides a generic, vendor-agnostic way to write detections on logs. It comes with a set of converters that translates the Sigma language into popular query tools including Splunk, Elastic Search, QRadar, and others (uncoder.io can be used to do this easily).

Researchers and people writing security advisories can share Sigma rules to self-document concrete logic for detecting attacker techniques.

Jupyter notebooks can be shared that make investigation processes repeatable and document how relevant data was enriched.

“When someone else downloads a notebook, they can follow along on the analysis, or they can apply the methodology to their data by re-running it. This ability to execute the analysis against similar data is a powerful concept that allows one to encapsulate expertise. Now any publisher of a notebook is not only a teacher, but also a virtual team member.”

Relatedly, in tl;dr sec #11 we saw Twilio release SOCless, their serverless framework for running SecOps runbooks at scale, and Dropbox discussed their automation around threat detection and IR built on Jupyter notebooks.

Roberto Rodriguez has a blog series on using Jupyter notebooks for threat hunting, here’s a blog post on using the ThreatHunterPlaybook Project + Mordor (pre-recorded security event datasets), and Netscylla also has a blog that walks through one of the author’s notebooks for use in an incident response scenario.

Florian Roth has an open source repo of Sigma rules, and the Open Security Collaborative Development recently organized an effort to contribute Sigma rules for MITRE ATT&CK techniques.

Too often we see attacks at the same time yet learn to defend alone. This paper shows how community-based approaches to infosec can speed learning for everyone. Imagine a world where attack knowledge is curated in MITRE ATT&CK. Then Sigma rules are developed to build concrete detections for each attack technique. Then any hits for those rules could be triaged and investigated by a tailor-made Jupyter notebook.

When researchers publish on a novel technique or CERT organizations warn of a new attack, they can jump start defenders everywhere by contributing elements in each of these frameworks. If every organization were to contribute their unique expertise, and every organization were to build on the expertise of others, infosec silos could be connected through a network effect to outpace attackers. Defenders going far, together.

Misc

security.txt is making its way through IETF
“When security vulnerabilities are discovered by independent security researchers, they often lack the channels to report them properly. As a result, security vulnerabilities may be left unreported. This document defines a format (“security.txt”) to help organizations describe the process for security researchers to follow in order to report security vulnerabilities.” (full text of spec)

TrustedSec released their legal documentation for physical security assessments. I think this is awesome, and will hopefully help prevent future cases like the two Coalfire employees who were hit with felony burglary accusations for testing the Iowa State Judicial Branch, which they were hired to do.

Dinis Cruz shared the slide deck he created when applying for the role of CISO at Babylon Health.

Blog post by Kelly Shortridge on “how the economics of physical ransom translate to digital ransom, and how we as an industry might want to reconceive our current approaches to considering and dealing with ransomware – and the criminals who run ransomware campaigns.”

  • In short, kidnappers, pirates, and ransomware authors want the situation to “go well” for the victim, because if they get a reputation for bad outcomes, people won’t pay.

  • Since these sorts of illegal activity are inevitable, we want to have “good” attackers, who do not kill their victims and who allow safe recovery of data.

  • Kidnapping insurance and cyber insurance help incentivize skilled attackers who keep their promises.

By accepting reality, we can depart from the unrealistic goal of “eliminate all ransomware attacks” to “maximize reliability of data recovery in ransomware attacks.” Part of maximizing reliability is encouraging better attackers, which is done by raising the cost of attack.

While it may feel uncomfortable to accept a healthy level of malicious activity, at a certain point, we must become pragmatic rather than wallowing in sententious idealism. We can never fully prevent attacks, and that goes for ransomware as well. But we do have a chance to encourage more intelligent attackers – who operate professionally, incentivized by ongoing business interests – so that the ultimate impact of ransomware is less deleterious than what transpires under the claws of disorganized, incompetent attackers.

Tools

Pysa, the Python static analysis tool by Facebook, found its first CVE, an open redirect in the thumbnail view of Zulip, an open source team chat application. Pysa’s docs have also been updated with more info on increasing its coverage.

ZAP-Mini-Workshop
An interactive IPython notebook to demonstrate OWASP ZAP’s API and scripting functions, by Abhay Bhargav.

(Lyft) Announcing omnibot: a Slack proxy and Slack bot framework
Over time, Slack has added a number of APIs for writing integrations. Depending on what functionality you want (e.g. slash commands, interactive components), you may have to use different sets of APIs, which can cause you to have to mostly rewrite a bot if you made the wrong choice when you started.

We point all Slack apps at omnibot for event subscriptions, slash commands, and interactive components. omnibot routes those events to configured callbacks, whether the callbacks are within omnibot, or in another backend service.

Backend services can call Slack’s Web API for any configured team and bot via omnibot’s wrapper APIs.

We can choose to send a specific event to one backend service, or multiple. We can move functionality for a bot between services or between bots. We can move Slack notification logic between services transparently and easily. Multiple services can act as a single bot without needing to have access to that bot’s credentials.

Omnibot Architecture

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I'd love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,

Clint

|