Infosec Press

Reader

Read the latest posts from Infosec Press.

from JR DePriest

In the Aether there is a temple, a pyramid of stone, missing the capstone, forever bathed in the red-gold light of a setting desert sun. The doors are always open and the inside is filled with long shadows that provide respite from the heat. You are welcome to sit, relax, contemplate. You've earned your place here. If you explore, you may find the goddess of the temple, Sekhmet, she with the head of a lioness, arbiter of courage and inner strength. She may smile, she may beckon or direct, but she never speaks. It isn't necessary. In this case, she glanced at a passage off in the distance, one I hadn't yet seen. It danced with a curious flickering array of colors and so I moved toward it. Even before I could see it clearly, I felt it, like an oven, but I was strong, so I pushed forward, I had to see. My skin felt as if it may peel away, like the worst sunburn you've ever had, but still I pushed. And I saw a corridor, lengthy and filled entirely with flame. Somehow I could see through the flame to the far side. There was a courtyard overgrown with brambles and weeds, toppled columns, collapsed buildings, and people, so many of them. Each oblivious to the others, heads down, shuffling aimlessly in the dust of a dead city. Their despair was palpable, their loss, their regret, their guilt. Each felt that this great calamity was their fault alone and that rebuilding was not only impossible but a blasphemy, an attempt to erase what they had done, what they had caused. No. This is the way it had to be. Each felt that they alone were suffering in isolation, in silence, “as it should be” they thought. To them, this was a deserved fate. But I could see into their hearts, a place they'd long stopped looking. I could see their mistakes, simple and compounded, but infinitely forgivable, not worthy of this self-imposed punishment. Yes, each, in their own way, had led to the collapse, but there was no malice, no intent. They had it in them to forgive, repair, rebuild into something greater, but could not see it. I turned to Sekhmet and asked, “why are they suffering? Why don't you tell them they don't deserve this? Why don't you help them?” She said nothing but nodded and looked away as if to say, “that is not my duty.” This was horrible. I knew they could be saved. I knew they had everything they needed if they'd just look around, notice each other, share their feelings and their desires, pool their skills. But they would never look up. They would never see anyone other than themselves and their unearned shame. I knew in that moment that I could turn away from this fiery tunnel, return to the cool shadows of the temple and relax. After all, I had earned it. None would fault me for accepting the reward that I deserved. But I couldn't get their faces out of my mind, their blank expressions, seeing nothing but what they had lost. I also knew that I could save them. I could. I could teach them and help them. But I would have to pass through the flames to do it. No one would help me, no one would notice my approach, none would worry about my pain and suffering. In fact, they'd warn me away, tell me to go back. I knew all of this, but I pushed forward anyway. The liquid wall of heat pressured me to go back, resisted like being under water. My feet stuck to the floor as the skin sloughed away. My body screamed as millions of tiny needles dug into my flesh, pulling, tearing. My scalp burned as my hair burst into flames. I could stop right now. I could stop and instantly be transported to the cool stone floor of the temple behind me. I knew that. Even as my eyes boiled in my skull, I could see them, feel their despair and their emptiness. I knew if I didn’t help them, then no one would help them. I knew loss and regret, but I also knew hope. Yes, I had betrayed people I loved. Yes, I had lied, I had cheated, I had very nearly murdered, but I became a better person because I survived these things and learned from them. My fingers clasped at nothing, the muscles barely responding, my tongue was swollen and raw. I knew, again, that I could stop, right now, and instantly be soothed, be safe. I knew I could have that because I had earned it. I deserved it. But did they deserve what was happening to them? Could I live with myself knowing I could have made a difference? I was shaking now, on autopilot but still moving toward them. I cried out, but no tears could flow in such heat. I crawled. I fell. And landed in damp earth, humid and rotten. I was whole again and I had crossed the barrier. Something had been left behind in the flames, something was burned away. I had new purpose, new dedication. The lives of those around me poured into my consciousness, they had dreams once, and hope. All of them. I schlepped through the mud to the closest person and lifted their head so I could look in their eyes. He was elderly, old beyond reason, and his eyes were empty. Not blind, just empty. I spoke softly, “I know your name, I can sense it. You are Ka'telon, once a stone mason, a builder, and architect.” He blinked and shook his head, mumbled incoherent sounds as if he'd forgotten how to speak. “Do you remember the first time you felt your connection to the world around you? To other people?” He found his voice, “What does that matter when they are all dead? When all I have are memories of what was done? When I can still hear their screams? I am connected to nothing because there is nothing left.” “Open your eyes and look around,” I implored. He squinted and muttered, “As I remember it. Nothing left. Surrounded by those who will never forgive me for what I've done.” He pulled away and lowered his head, ignoring me. The next person I addressed was an ancient woman, I felt she had been an artist. “Do you remember the first thing you created?” She paused, coughed, “I put two colors on paper, blue and yellow and saw the sun and the ocean. But that was through a child's eyes, worthless and naïve.” “But the wonder you felt, the possibility. You continued to paint, yes?” “I did. Until I created works that were hung in places of honor and called beautiful. But where is it now? Decayed into filth and dust. Nothing remains. What I did was meaningless. It solved nothing, saved no one when the time came.” “Norette,” I called her by name, “you are wrong. What gives someone hope is not what is practical or useful, it is what causes us to see beyond what is in front of us. Those things that challenge us to look at the world around us in a different way, that pushes us to think unfamiliar thoughts. To look forward.” “Bah! There is nothing forward but the same forever and ever.” She walked away. Next I spoke to another old woman, “Cybil,” I called to her, “when was the last time you sang?” “Once I felt the beauty of song. How a voice could tell such a story with no words, how a heart could be buoyed or sunk, an army bolstered or cowed. A chorus of song was to hear the god's speak. Yes, I sang. I sang on the last day. Songs out of mythology and history, songs calling out for aid, for any of the gods to show themselves. But none did. And so I no longer sing because no one is listening.” “Did you only sing because someone would hear it? Did you not sing to yourself, sing in individual praise, sing to feel the music rise in your throat and sprout into the world? Did you sing only because it inspired?” “I sang because it suited me. Now leave me.” She too left me standing alone. Discouraged, I sat on an old stump and wondered what else I could do. I could see their strengths, the ones they'd forgotten and denied and buried. I could see their potential. But they were in so much pain, so much regret. I prayed to my goddess and my god. I asked for guidance. I asked for encouragement. I heard a bird singing, trilling and whistling, like Spring. It was just for a moment, then silence. I looked around and saw Cybil, by herself, facing away. I heard the song again and realized it was her. Her voice having lost nothing but she was unsure, frightened. As I studied the rest of the city, I saw Ka'telon slowly stacking collapsed stones. I saw Norette using mud to experiment with creating a mural on the side of one of the empty houses. I could not do this for them, but I could give them the push they needed. So I spoke to every resident. Reminded them of the elation of hope, the joyousness of creation. And so they swept, and cleaned, and built, and decorated, and sang, and wrote, and devised clever solutions, and vowed to never make the same mistakes again. They forgave. And through it all, they worked together. Deep inside, they knew the city would one day fall again. But, for now, they allowed the majesty of their accomplishment to lift them up. It was not about tomorrow or yesterday, but about today, about love and compassion and giving. Their eyes were bright, their bodies young, and their minds full of potential. And, back in her temple, Sekhmet smiled.


#Fiction #Writing #WritingCommunity #Oracle #Sekhmet #Hope


This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.5/ or send a letter to Creative Commons,543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

 
Read more...

from acrypthash

What I have been up to

I got up a little early today to work on my to do list since I have been out working on other things as of late, however I decided it was time to update my blog with a quick snippet of what I have been up to lately.

Last week I attend a cybersecurity conference in my area called SecureWorld. I had a really fun time. I sat in on a bunch of very insightful talks that ranged from a FBI agent reviewing a crypto mining case to listening in on a panel about risk and how to communicate what risks are key in a business. I had the opportunity to talk to some vendors that our company has been utilizing for some time now as well. Overall, the time and money spent to attend was well worth it.

Yesterday, I also gave a talk at Penn State on Vulnerability Management with Data Driven Defenses. I had an absolute blast. I had spent a lot of time preparing in the past few weeks, practiced the talk to my dogs, and even did a test run with my team in our daily working session meeting. The students seemed interested throughout the whole talk and I even got a shirt and food from them at the end :D. I am most definitely going to be looking into doing more talks.

For now though, I need to get back to work. I have a many items and projects that were back burnered the past few weeks that require some attention. I also have a cybersecurity intern that will be starting with me at the end of next month. Until then, back to the grind stone. LETS GO!

 
Read more...

from HiddenPoss

(0002 – P)

Well, this quest started due to my weird obsession with hidden messages. Yes, I do use invisible ink, and I also use coded messages in my notes. I also accidentally code my messages, though. I sometimes write like I read, dropping words and letting context clues fill the blanks.

While I love the idea of encryption, I also love the idea of hiding in plain sight. Similar to number stations. We all know their radio bands, but what they are sending.. is still being determined. My current drive to create something is from the idea of number stations, and I am making something hidden but also open to the public. It's a fantastic idea in my mind, and this is akin to an art project.

So where am I now with this? Well, I'm creating words per se, and I'm basing it on Chinese or Japanese in the way the symbols can both be read and mean something. Well, about that being “read,” my goal is not being able to be read. A, their arere's no sounds. But how can it be read then? While I am no music major, I considered attributing words to notes or chords in sequence. This way, an innocuous music or song in a YouTube video can be a secret message to worship Satan and make blood sacrifices suddenly.

But, for now, this is more of a shower thought as I need to play with a test run of these. Which I already am in secret. As it's still a dumb idea.

 
Read more...

from HiddenPoss

I'm not fully sure on the direction of this blog but supposed a few things I might try would be longer format posts. With specific topics such as: tech or just my personal life. I might even cross link stuff to the other “blog” I got which is a WordPress as it's free there too. Also it gives me some leeway to post stuff that can be frowned upon elsewhere.

Also a major thing to note. Unless it's an important post, there won't be a spell check. I will go over them a later date but a spell check won't be used unless it's an important one.

For my posts I'll probs have a selected nunbering order and tags.

The tags are...

G which is for General topics P which is for Personal topics T which is for Tech topics D which is for Doodles G which is for Gaming A which is for Investigation topics Y which is for Spooky topics N which is for NSFW topics K which is for (short)Stories F which is for Old posts

G

Well it's like these. Something that lacks a real topic.

P

Something related to my personal life. Yes I know bad idea for opsec.

T

Tech topics which be anything from me reviewing something or me posting stupid code. Also tryhackme and hack the box stuff are included

D

These are doodles or drawings.

G

Well surprise surprise I'm a gamer. So you might see some clips.

A

Investigation topics are going to be light. Solely because these stuff will normally take time but these are light skimming.

Y

While I ain't schizo I do see shit on occasion so I thought of posting them here. These are converted from my journals though.

N

I doubt I'll post a nsfw topic. But it might be short story that is nsfw.

K

These will rarely be new but often just retyped up short stories I did from highschool or younger.

F

These are just old posts from elsewhere.

How the tags?

The system just might be the 2nd line will have the (number) – (tag) so for example (0687 – YNDF)

(0001 – G)

 
Read more...

from Hyperscale Security

It just about two weeks before RSA Conference 2023, and the hype train accelerates even beyond its usual fever pitch. Learn what the latest threats are you should definitely buy a new tool for. Find out what version of Zero Trust we're at and what generation the latest NextGen Firewall. See which cybersecurity startup has the biggest booth.

Blockchain! Zero Trust! Ransomware! Software Supply Chain! DSPM! ChatGPT!

Is XDR still hip? In cloud security, nobody even wants to say “CSPM” anymore, and CNAPP's oxygen is increasingly stolen by DSPM, the newest kid on the block. It could have been CIEM, but that is such a poorly named category that it didn't make it. CIEM probably is an IAM subcategory anyway, but that sounds so old-fashioned, boring and unsexy.

But none of that matters, anyway, because since ChatGPT was released, the entire cybersecurity industry has an opinion on the dangers and risks, as well as possible benefits of Large Language Models.

“ChatGPT-enabled” will be all over the show floor.

It's the Basics, Stupid!

Reports by the vendors of our shiny tools, such as this recent one by Qualys, show that we may have shiny tools, but they just record poor security postures. Visibility is better than having nothing at all, but deployment of tooling is just the beginning. Next comes the engineering of contextualizing alerts and findings, enrichment with metadata, and the ability to attribute them to the right team in the organization that can do something about them. Then comes the reporting, SLA tracking and organizational accountability, the developer and workforce enablement and security awareness, and compliance processes.

Everybody wants to evaluate tools, run PoCs, define security architecture, requirements and policies for others to follow. But we shy away from doing the hard work of making our environments more secure. That, we say, is someone else's problem. If only the developers and ops people would just do what we say...

It is still about the “basics” – the unsexy, really hard things you need to do:

  • Asset Inventory Management
  • IAM and Access Control
  • Network Controls
  • Encryption in-transit and at-rest
  • Keys and Secrets Management
  • Logging and Monitoring
  • Compliance and Vulnerability Management

Zero Trust requires that you do all these things to be effective. The same is true for ransomware or data extortion attacks. We debate esoteric, academic risks and conceptual frameworks instead of how to practically run effective security programs. We talk about post-quantum cryptography when NIST hasn't established standards yet, and we still can't get our organizations to rotate keys periodically.

The Real Innovation is in Sec(Dev)Ops

I have been in Silicon Valley over 20 years. When all the hype was about the gig economy, social media and the startups in the city, the real innovation took place in the Valley (and Seattle/Bellevue, to be fair) – where big tech companies were figuring out how to run large data center and cloud services.

I have the feeling we're going through the same thing in cybersecurity at the moment. The industry is off doing their own thing that gets a lot of attention and is unquestionably overfunded, while SecOps teams within organizations are adopting cloud-native and DevOps practices to innovate and engineer new processes to drive effective security outcomes. Often based on open source solutions.

That is not sustainable. Budgets are flat or tightening. And the industry can't reprice itself because it is too leveraged.

Have a fun RSA, everyone. It may be the last exuberant one before the crash.

 
Read more...

from Hyperscale Security

A colleague of mine I worked with extensively over the past months told me that she attended a security conference this week, but left early. I asked why.

There was nothing there that was relevant to me.

This was not a new experience to me and I congratulated her that she passed a significant milestone. When you focus on cloud security, this is not unusual. The last few years I have found that the most relevant conferences were DevOps and cloud-native conferences, where security was only an aspect – be it an important one – of the conference scope or cloud security-specific gatherings, rather than the more typical cybersecurity conferences, where cloud is often absent. This goes for the big name conferences as well as smaller events.

Stuck in What We Know

I recently spoke at a two-day closed audience cybersecurity conference. It was filled with fascinating talks, but the only cloud security session was mine. This low representation is not unique to smaller events, but also the case for the big-name conferences like RSA, Defcon and Blackhat, CCC conferences, and others.

Malware, ransomware, phishing, appsec, data privacy, memory corruptions, data privacy, OSS-, software supply chain- and network security are all important topics, and conferences want to cater to a broad audience. But infosec/cybersecurity conferences seem to be stuck in familiar territory while around us the world is in the middle of a massive cloud transformation.

Cloud Security is Elsewhere

I yearly get my talk proposals rejected by the RSA selection committee – it's OK, the feeling is mutual ;) – but colleagues of mine and myself have presented repeatedly on cloud security at fwd:cloudsec, KubeCon, ChefConf, and elsewhere. The first is a cloud security specific conference, the other two are cloud-native and DevOps conferences where security is not the only topic.

Cloud security seems to be largely debated via blogs, podcasts and social media, and aside from a few exceptions, a “guest” at others' events. It reminds me a bit of drum & bass in dance music, largely happening via (initially) pirate radio, the internet, a small side room at multi-stage party, and the occasional club with a DnB-only night on a Monday or Tuesday.

Developer Autonomy and the Irrelevance of a Department of No

In a cloud landscape, the traditional gatekeepers are gone. Rather than network security teams or infrastructure provisioning teams providing some level of central control, developer teams through everything-as-code deploy entire landscapes independently from such gatekeepers, and have far greater autonomy. They may choose cloud-native platforms that your traditional security tooling doesn't know what to do with. Modern CI/CD pipelines with frequent deployments require security teams to respond far more quickly than they are used to, and pose whole new challenges they haven't seen before.

A Department of No that is not prepared for the threats and risks of the cloud as the organization around them rushes into cloud transformation is at risk to become irrelevant and likely to be ignored.

Cloud Security Must Have a Place in the Mainstream

Security teams are often slow to respond to our employers racing into the cloud . That goes for security standards as well, with ISO and NIST only slowly becoming aware of the cloud. Security certifications lag as well. Since cloud security is underrepresented in the usual cybersecurity information channels, it is not easily accessible.

Cloud providers and cloud security vendors have done good work, but how does someone new to the topic navigate this ever evolving market and know who to trust? Even if you select good vendors, how do you operationalize their solutions into your processes? Where do you learn from prior experience?

How would you know that the best cloud security practitioners network is on LinkedIn? How would you get to know the key contributors to follow to grow your network, and get into the stream of blogs, podcasts and events where cloud security approaches and practices are shared, based on actual experience? Even that is only, as far as I know.

It is high time that cloud security finds a place in the infosec mainstream, to establish more structured and stable fora to share practices broadly – to those coming into the cloud security community new – and deeply – for those already there.

 
Read more...

from JR DePriest

In an ordinary forest sat an unremarkable pond brimming with countless identical tadpoles.

Mottle did not like blending in. “Someday, I’m going to stand out,” she said to no one in particular.

“Why? Do you want to get eaten?” exclaimed Spish… or was it Bloit?

Wub swam up, “Mottle wants to ‘stand out?’ Good luck with that. I’ll be hiding in the mud.”

As their tails shrank and their legs grew, Mottle still secretly hoped to be different, unique.

They became frogs, brown and green with black spots. Perfect for blending in and staying safe.

All except for Mottle.

Mottle was purple. Not just the dark purple of deep water, or even the soft purple of an iris, but a mighty, iridescent purple.

“Stay away from Mottle!”

“I bet hawks can see her from the air.”

“She’s like a great big beacon for predators.”

Not welcome in the water, Mottle spent most of her time climbing in the weeds and singing, her bright skin blazing amongst the greenery.

Her song was entrancing, and even though the other frogs enjoyed listening, they would not accept her. Bloit yelled, “I hope you get eaten!” before diving back into the pond, brown swirls following him into the murk below.

Mottle sighed and kept singing. She chirped and barked and croaked and whistled and whined weaving music like no frog before her.

Every cottonmouth or raccoon that saw her couldn’t bring themselves to eat anything with such a talent for song.

Still, no one was happy. Spish complained, “Thanks to Mottle, more of us are getting eaten just because everybody comes to hear her singing.” Wub added, “If I weren’t so good at burying myself, I’d have been someone’s lunch months ago.”

Finally, the eldest frog, Glergle took action, calling Mottle down.

She swam in front of him full of worry.

“Mottle, you have consistently brought danger to the entire pond. Your ridiculous skin is a distraction and your incessant singing is bringing predators far and wide.”

She was silent.

“We have no choice but to banish you. Get out and don’t ever come back.”

Mottle was motionless, stunned, but managed to eke out, “I could stop singing, I could sit in the middle of the pond all—”

Glergle interrupted her with a single, “No.”

“But you are my family,” Mottle insisted.

“Some things are more important than family,” Glergle intoned. “Now get out.”

She hesitated.

“Go! GO!!!”

Mottle dashed away in a cloud of bubbles, crying to herself as she hopped through the mud and weeds, dryer ground, brown leaves, tiny stones until she was further from home than she had ever been. Climbing the nearest tree, she sang and cried. She sang of loneliness and friendships lost, of trusts broken and promises forgotten, of childhood fantasies giving way to cruel realities.

She vowed to sing until she could sing no longer, to keep going day and night.

Weary and weak, she sang on through sunsets and sunrises, barely aware of her surroundings, slowly starving herself and becoming dangerously dry and brittle.

Until, at once she was blinded by a brilliant flash of light and fell. But not to the ground, to some sort of slippery translucent cave. She was so tired, she resolved to simply fall asleep expecting to never wake up.

After an unknown time, she opened her eyes. She felt moist and could hear flowing water. In front of her was a live cricket with no legs that she quickly ate.

“Am I in heaven?”

“No,” said a deep voice. “But it might as well be.”

She focused further out and saw a frog larger than she thought possible.

“Ah!” she tried to jump away but was still too worn out.

“Hey! Relax! I’m not going to eat you. There’s no need for that here.”

Leery, but with little choice, she settled down, “Where am I? Who are you?”

The huge frog continued, “I’m Dom and this is our little paradise. Humans feed us, make sure we are healthy, and come by to tell us how amazing we are all day long.”

Mottle crooked her head, “Why don’t they eat us?”

Dom laughed, “Eat us? They love us!”

She noticed Dom’s coloring, “You’re very… orange.”

He nodded, “Yep. And Urdip is blue, Pic is yellow, and Kree is red. We’re like a rainbow.”

She finally noticed the other smaller frogs behind Dom.

“What’s your name?”

She smiled, “Mottle. My name is Mottle.”

“Well, Mottle, we welcome you.”

Mottle inched out of the safety of the small indention she’d been placed in, “Don’t you think my color is a bit much?”

Urdip, a very skinny frog with long legs and eyes that seemed to never stop moving skipped forward, “No. Why would I?”

Pic, a tiny frog no larger than a cicada added, “Where I’m from, a color like mine is a signal that I am a frog of great importance. People would gently pick us up and make sure that our homes were safe.”

Kree seemed slower than the other frogs and added, “You must have been pretty special, too with a polish like that. It’s like… so… shiny.” He continued to stare at Mottle without saying another word.

Mottle tilted her eyes back and looked over herself: still so purple she was almost glowing.

Dom groaned, “Don’t mind Kree. He’s eaten a few too many strange mushrooms if you know what I mean.”

Mottle felt the ground shake and could hear a commotion somewhere nearby. Scuttling back to her hole, Dom called after her, “No! Don’t worry!”

Urdip was already beside her, “Mottle. These are our fans. It’s time to give them a show.”

She was confused, “What do you mean?” She was still inching toward safety.

Pic, while scurrying toward a stick to climb yelled to her, “The people who love us, they take flashes of us and ‘ooh’ and ‘ahh’ over us every day. It’s why we get the good crickets, my dear.”

Kree was shuffling toward a leaf to stand on and Dom just stayed right in the middle. Nobody could miss Dom.

Urdip beamed, “Come with me, Mottle. We’ll dazzle ‘em!”

Mottle decided to follow her and see what all of this was about. Urdip bounded toward the glass and jumped right up on it, sticking in place.

She studied Urdip and wondered if her color was a mistake or if all of her kind were like that. The vivid blue reminded her of the way the sky looked from under the pond where she used to live.

She didn’t think she could stick to the glass, so she climbed up a nearby branch and held on.

People began filing by. Mottle held her breath but the others had been truthful. There were startled sighs and tapping of glass and murmured words and many, many flashes.

No one tried to eat them or capture them. All they had to do was be themselves.

She was so happy that she closed her eyes and began to sing. She chirped and croaked and whistled and told a story of being lost then found, of being afraid then safe, of being alone then accepted, of being ashamed then free, of being an outcast then loved, of loss and new friends, of no longer hiding.

Mottle sang for hours and did not notice the other frogs circling around her or the people calling friends on their phones to tell them about the amazing frog they just saw.

She stopped her song and looked around, “Oh! Sorry, I’m sorry! Did I do something wrong?”

Urdip was wiping a tear away from her still twitching eye, “Wrong? No, honey, that was fantastic.”

Dom bellowed, “A new star attraction is born.”

Pic was licking her lips, “We might get snails to eat if she keeps this up!”

Even Kree was impressed, “I totally felt what you were doing there. Deep. Truly deep.”

And so, thanks to Mottle, they became a wildly successful exhibit. Researchers came from around the globe to study Mottle and try to determine what drove her ability to out-sing her peers.

And the people, they just liked hearing it.


This work is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/2.5/ or send a letter to Creative Commons,543 Howard Street, 5th Floor, San Francisco, California, 94105, USA.

 
Read more...

from New MacBook Pro

I replaced my 7 year old MacBook Pro yesterday. I installed UTM instead of going with Parallels. So far, so good. Stood up a MacOS vm. It seems to hang occasionally. Don't love that. I also installed a Kali/ARM vm. Haven't done much with that one.

My objective is to keep the base OS as “clean” as possible. Install few additional applications. Use mainly the browser, native Apple Apps, Edge for work, and Obsidian. All the “weird” will be pushed to vms running in UTM.

 
Read more...

from JR DePriest

“Psychomancer” and what it means

I call the universe in which I create my stories “Psychomancer”. It has been thusly named for 30 years, since I first read Simon's Necronomicon and starting consuming the works of HP Lovecraft and August Derleth.

This is a world where magick is real, but hidden. It's a world steeped in the Cthulhu Mythos, where the Dreamlands are real, where the Deep Ones dwell beneath the ocean, where Atlantis fell 15,000 years ago. But calling upon Outsiders is not the only magick available. All magick is but an artifice over a deeper manipulation of all things. It is a system to understand that which cannot be fully comprehended by a human mind. There are dimensions of reality both above and below our own and each has its own native life. We cannot see them as we have no word for, no concept of, the directions we would have to “look”. Some life in these other planes reach up or down to us while others are ignorant of anything but what it is in front of them. The fractal born machine elves inhabit a five dimensional reality, for instance, while living shadows peer up in envy from two. “Psychomancers” see the flow of the past into the future as a river in which all of reality sits and it has a preferred path. They can cause eddies, small redirections of current. They are workers of magick who sense and manipulate the subtle threads that connect all living and once-living things. Auras, the silver cords that bind us to them, the choices we make, our emotions and impulses, all impress themselves upon what we call reality as we move among the world, among the morass of remembered energies from past forms. Even the unthinking possess life as food is processed, textiles are created, ores are smelted, blending the experiences of the material into something new.

I will probably preface stories with “Psychomancer” in the name so you will know where they fall.

 
Read more...

from acrypthash

Impacket and Kali Purple Hello again,

I wanted to provide an update on some things related to my career that I am super grateful and excited for. Yesterday I had my first review at my place of work and the team can't be more happy with the work that I have contributed. As a rebuttal, I feel the exact same way. It has been a great experience and I am learning so much every day. Okay enough of the mooshy stuff.

I have been putting in time on Kali Linux Purple (let's call it kalip for short) and so far it's been enjoyable. For whatever reason, after I started using kalip, I was attracted to the preloaded impacket library :D. For those of you who don't know, Impacket is a collection of Python classes that provides low-level programmatic access to network protocols like TCP, UDP, SMB, and NTLM. This is where my fun started.

I did my testing based off of the assumption that the end point is in a post compromise state. We use EDR, so the assumption will be made that hook was made or AMSI patch was done to elude detection. There were four scripts of interest: impacket-smbexec

impacket-wmiexec

impacket-ntlmrelayx

impacket-samrdump

impacket-smbexec is first. After you obtain either hashes or credentials, you can run this against an endpoint and have SYSTEM access. A very useful tool. I did find that while playing with an endpoint over smbexec, I caused the session to crash wile simultaneously running ntlmrelayx. Oddly and unrelated enough, I ended up not getting ntlmrelayx to work properly even after trying SMB authentication... That will be a work in progress.

Something that I am still trying to understand is why none of this traffic from smbexec was captured when I ran wireshark. Oddly enough, the IP of my attack machine was no where in the PCAP. I even confirmed network card and network settings were correct. I still have yet to trace any IoCs, but I am curious to see if there are any.

According to ChatGPT there are some to look into: – Network traffic: Impacket-smbexec may generate unusual network traffic that can be identified through packet capture analysis. This could include requests to unusual ports, unusual protocols, or to destinations that are not typically accessed by the user or system. – Process activity: Impacket-smbexec may spawn unusual processes on the system, or may run with unusual privileges or access levels that could suggest malicious activity. – Registry changes: Impacket-smbexec may modify the Windows Registry, which can be monitored for unusual changes or activity. – File system changes: Impacket-smbexec may create or modify files on the system, which can be monitored for unusual activity.

impacket-wmiexec has definitely been the most reliable and while utilizing WMI, it helps with not being traced. I haven't done much more than directory traversal with this tool, but this could help a TA none the less. A flaw that I found with this is you are also accessing the system at whatever privilege is set for the account that is authenticating with WMI. Privilege escalation would need to be done here, but this could be a useful form of lateral movement.

I am going to loop back when I have more time to write about the last two tools and clean up what I have already written. Cheers! ^–^

 
Read more...

from acrypthash

Inspiration from Conferences and Other Information Outlets

This is my first post on here, but I hope to use this tool as good practice for my end goal of writing a 2600 article. This post is going to just briefly touch on some inspiration behind what is motivating me to work towards the goal I just mentioned.

The next two months are quite busy in relation to security conferences. I attended BSides Harrisburg last weekend, PancakesCON is this upcoming weekend, and next month I am going to be attending SecureWorld. As a result of attending these conferences and continuing to read things like 2600 magazine, I found myself motivated to try and contribute where I can. This will help the security community by being another source of knowledge as well as help me better articulate my writing and thought process.

A subject that I haven't seemed to see much light on is data driven defenses and prioritization for Blue Teams. By learning and understanding things like the exploit-response cycle and risk misalignment, security teams can better manage their environment vulnerabilities and create action items based on tangible data. My goal of my brief article is going to help describe this for people and what we as defenders can do by utilizing more than just a high rated CVSS score.

After I wrote this I realized that I never made a whoami post on here. I will write one in a different blog post. Cheers! ^–^

 
Read more...

from Kevin Neely's Security Notes

TL;DR

For the impatient, here is the final output from using ChatGPT to create service description documentation: – Final doc in Markdown format – (GitHub Gist) – Final doc in PDF format – (Box)

Overview

I’ve been working on building out an internal offensive security function and got to the point where I need some internal documentation as to the service(s) description, engagement model, outcomes, etc. Like a lot of planning, I started with an Xmind #MindMap, and with all the buzz around #ChatGPT, I wanted to see how well it could take what I have and build some docs for me.

In addition to Xmind, I use Obsidian for note-taking, jotting down thoughts, and organizing documentation. The object of this exercise will be to have #Markdown formatted text that I can make final edits in Obsidian and from there publish to a documentation repository.

ChatGPT Prompts

First prompt

I started with a pretty robust prompt. With the exception of the Objective paragraph at the top, this was 100% copy-paste from Xmind to the ChatGPT prompt.

Objective: I want to create a service description and engagement model for an internal red team. This service description should be formatted like a document with section headings and subheadings. Format the output in Markdown. The service components will be as follows: - the team will manage the scheduling process - the team will determine the activities that must be completed to adequately test the target - the team will determine whether a specific test should be carried out by an internal team or if an external testing firm needs to be engaged Pre-requisites for initiating a test include: - a system architecture diagram - a completed threat model document - access to the systems that will be tested The activities performed by this function will include the following items Document processes so they are Repeatable Defendable Create and perform Reporting with the following characteristics templates regular cadence tied-in to the risk review process findings go into backlogs, jiras, and project plans, depending upon the team and target demonstrated ability to remediate findings 

Engagement with developers must include 
  Regular sessions with R&D and IT teams that are developing tools and systems  
  Demonstrations 
  Threat modeling 
  
Engagement with System Operators must include 
  Educational review sessions with teams 
    system operators 
    Blue team 
    system integrators Demonstrations of exploit Collaborative remediation sessions Threat modeling

and the output ChatGPT output 1

Second prompt – measurable outcomes

Now I need to define some measurable objectives of the program in #OKR format so we can measure its success. The results were pretty meh. I’ve tried OKRs and #infosec success criteria in other chats and they pretty much all come out the same. This section had to be heavily edits foor the final. Luckily, I’d already outlined them in the mindmap.

ChatGPT OKR prompt and response

Prompts 3 thru 5 – flowchart

Now that I have a working service description and some needs-editing OKR (all a bunch of words no one will read), I need a flowchart diagram. I’m a fan of mermaid diagrams for their usefulness across various markup languages like Markdown and RestructuredText.

prompt

based upon the service description above, create a flowchart of the entire process beginning with scheduling and ending with concluding a set of tests. Output this flowchart in Mermaid syntax.

output

graph TD
A(Schedule Test)
B(Review Prerequisites)
C(Plan Activities)
D(Determine Testing Resources)
E(Perform Testing)
F(Record Findings)
G(Produce Report)
H(Engage with Developers and System Operators)
I(Conclude Tests)

A --> B
B --> C
C --> D
D --> E
E --> F
F --> G
G --> H
H --> E
H --> I


In this flowchart, the process begins with scheduling a test (Step A), followed by reviewing the prerequisites for the test (Step B). The team then plans the activities required for the test (Step C) and determines whether internal or external testing resources are required (Step D). The testing is then performed (Step E) and the findings are recorded (Step F). The team then produces a report (Step G) and engages with the developers and system operators (Step H) to remediate any issues. The process concludes with the finalization of the tests (Step I).

This was as decent start, and I had a couple iterations:

  1. adding a decision add a decision to the chart after step E in order to determine whether the completed tests are adequate to move on to testing completion
  2. inserting some more steps In the Mermaid flowchart above, tests need to be concluded prior to producing a report. Also, add a step called "Send to Product Management and Security Leadership" occuring in parallel with the "Engage with Developers and System Operators". Also, conclude with a step called "apply recommendations to target systems"

There were still some errors at this point, such as ChatGPT insisting on putting the “Conclude Tests” step at or very near the end, even though it’s really about the mid-point of the workflow. I could have continued the prompts, but at this point I decided to finish this off by hand.

Prompts 6 and 7 – RACI

Now that the processes are defined, we need to identify the responsibilities of each of the roles and how they interact.

ChatGPT prompt requesting a RACI for an offensive security program

From this, it’s clear that ChatGPT is good at formatting and generating a RACI matrix in #Markdown format, and this version has reasonable values for the roles, even if I don’t agree with them. Still, it was useful enough to have a good foundation that I could tweak, but before that, I added one last parameter:

add a new role to the matrix called Red Team Manager. This role should be responsible for teh scheduling and accountable for everything else. Add two new processes called Review Findings and Remediate Findings. The Developer is responsible for the former and the System Owner is responsible for the latter. Recreate the RACI matrix with these new parameters and output the Markdown code.

And this changed the RACI to basically make the manager accountable for everything.

Finishing up

At this point, I felt like I had the elements I needed, so I began the process of copy-pasting them from the interface into Obsidian and making tweaks to get a usable service description document.

The final output from using ChatGPT to create service description documentation: – Final doc in Markdown format – (GitHub Gist) – Final doc in PDF format – (Box)

 
Read more...