So I definitely have a different mental history of active directory than
most people, and recently I was doing a Glasshouse podcast with Pablo Breuer
<https://www.linkedin.com/in/pablobreuer/> and here
<https://youtu.be/Z0d6qNLevUY?t=2714> he says basically the same thing
everyone says, which is that it's impossible to move off of technology even
when that technology has a history of severe flaws, or a design flaw that
means it cannot be secured.
This is the current mental stance among CIOs familiar with large companies,
or even medium size companies! And I get it! But if leopards keep eating
your face, and every hacker in the world keeps recommending you stop giving
them a cuddle, and you say "I can't, I have legacy systems in my head that
love to hug large dangerous cats" then that stops being the government's
problem, in a way. Like when people ask why Cyber Insurance Markets are
obvious catastrophic failures, and we point at how they can't really change
any meaningful behavior, and they have to insure the total market value of
whatever company they are insuring because the cost of risk is basically a
sliding scale of whatever the Russian ransomware team thought up that
morning over kasha, then everyone gets that surprised face and it's all
very annoying.
So anyways, that brings us back to AD. AD is a system where any time you
hack any computer on the network, you can become the domain controller, and
own the whole company. That's just how it works. Every hacker/penetration
tester has known that for two decades and the specific incantation on how
you do that changes slowly over time, but it's always true. And then at
INFILTRATE one year two Microsoft Research team members demonstrated an
automation of the lateral movement piece which is now what Bloodhound
<https://mcpmag.com/articles/2019/11/13/bloodhound-active-directory-domain-a….>is.
So in theory everyone knows this right now, even though they like to blame
EternalBlue for all their problems in life.
But when you point that out on Twitter
<https://twitter.com/dinodaizovi/status/1418909301746327559?s=20>, people
ask you what the alternative is, and I have to admit I disagree with DDZ
that it's "Zero Trust". That sounds like adding more complexity to a system
that is already SO COMPLEX even lifetime specialists not named James
Forshaw don't understand the BASICS of the authentication system.
Like here's a paper
<https://twitter.com/DebugPrivilege/status/1418884269376671755?s=20> that
came out today that's in my queue all about Service credentials, and look -
no matter how many new auditing tools or visualization thingies or AI
anomaly detection alerts you deliver to your customers, if the underlying
system is NOT UNDERSTANDABLE BY HUMANS then you can't secure it. I
guarantee you that about 80% of the Russian ransomware affialiates
understand Service Credentials and delegation better than your current AD
management lead. Most of the time your AD ACLs are just you fooling
yourself that you have a security boundary where you, in fact, don't.
Also, the problem is not NTLM. Everyone stop talking about NTLM. It
wouldn't matter if AD was re-implemented to use purely quantum key exchange
because only Gandolf can mentally visualize the transitive trust structures
implicit in how you configured your AD Forests.
Ok so that brings us back to: What do you do instead? And honestly, I don't
know. I've enjoyed reading the snippets that Grapl Security
<https://www.graplsecurity.com/> has been posting about their setup. As far
as I can gather, the TL;DR is just use Google as your directory server and
use Chromebooks as much as possible.
This is what I do right now - but I'm not sure how scalable this is. Maybe
y'all can pitch in on this thread and suggest a solution?
Thanks,
Dave Aitel
[image: image.png]
Ok ya'll - you're letting me down. There's a thousand ways you and your
friends can use 10k to improve the world - engineering a solution nobody
would pay for because it's not something you can put at a booth at RSAC.
EVERYONE ON THIS LIST needs to either submit for a grant, or find someone
who will submit for a grant. You're telling me not one of those
superhackers at Microsoft and Google can find a worthy project? It's
Thursday, and there's 5000 people on this list, each of which can destroy
whole systems of the world with their minds, but actually all I want now is
for them to work up the energy to fill out this google form
<https://nostarchfoundation.org/apply-now/>. I have a whole team of very
cool people <https://nostarchfoundation.org/our-board/> waiting to help
walk you through the process once you do.
And the grant recipients that get selected are also going to get mentored
by experienced members of the field - the head of the mentorship committee
<https://en.wikipedia.org/wiki/Fred_Davis_(entrepreneur)> started a little
zine back in the day called Wired and knows basically EVERYONE, and I think
the mentorship alone should convince you to submit a grant request.
Anyways, typey typey. Get to it. :)
-dave
P.S.
Here's one of last year's submissions
<https://nostarchfoundation.org/grant-recipients-by-year/2020-grant-recipien…>,
which I quite like.
[image: image.png]
A while back I was chatting with someone at INFILTRATE, over fried
alligator and more alcohol than I probably should have imbibed, and he
said, "We're going to make fuzzing obsolete, because we have more CPUs on
the problem than anyone can reasonably duplicate, and we're going to
exhaust the space".
And it's PLAUSIBLE in a way. I've watched a few of the live streams that
Brandon Falk does, and you can see how like, for a certain subset of
problems throwing more CPU and Power than Zeus at the fuzz problem might
actually drain the oceans we all swim in.
But lots of plausible stuff is still dead wrong. I spun up a private fuzzer
a few weeks ago with some random test harness and popped a bug[1] in a
popular browser almost by mistake. Now I'm spending hours and hours pouring
over C code trying to find the root cause so I can control it, which since
I am so out of practice is not unlike a coal locomotive trying to drive
down one of the new Boring Company tunnels, coughing black oily smoke all
over those shiny white Teslas. How do you install Ctags again?
If you're bored, this Sunday, or any Sunday, you can watch this talk on
CONOPS I put together, after spending too much time reading bad cyber
policy papers: https://youtu.be/6l28f_x54gM . It might be related, it might
not. The world is unknowable, like the results of a fuzzer.
Some part of all of this is a lesson that when it comes to bug finding,
it's not only ok to be different - to be from a different era, or to think
in a different way - it's almost required. Team BigCorp can spin up all the
VMs in the world, and if they don't love the same bugclasses you do, they
will have optimized away from finding the bugs you find.
Also, I want everyone to help publicize this so we can change the world for
the better, even if just a bit. Send it to your friends! Think of cool
things to do with it!
https://twitter.com/NSPFoundation/status/1379849502199144449?s=20
-dave
[1] a3ca63d4929c08a18c4418e039557e6d lol, I had trouble getting this hash
but in the process found out it hits the default Windows 10 Home (not Pro,
because Dwizzle hasn't sent me that yet) as well.
So lately I've been doing little news roundups on the YouTubes....
Yesterday's is here: https://youtu.be/xgiymt_0isY
Neal Stephenson, in his most recent book, *Fall*, had a character that was
an interesting play on the traditional fantasy "giant" in the sense that
she was normal size, but fractally dense. I feel like we are living that
kind of time - in the sense that gravity is really a measure of how much
stuff is happening at any given place!
Anyways, smack that subscribe button the way you hit enter on Bl4sty's sudo
exploit on a those Linux boxes you were a "guest" on. :)
-dave
So one of my new fav questions to ask policy teams is what they would do if
they were told to switch their offensive team entirely to worms. Nothing
else. Just worms. What needs to change to make that happen - from op tempo
to supply chain to personnel to policy and technological investment.
And how would their defensive team need to change strategically if they
were facing such an offensive team.
It's a fun thing to see people wrap their minds around. :)
Also, if you missed it, yesterday's CYBER HOT TAKES are here:
https://www.youtube.com/watch?v=hzcmfIgvj7A&t=2s&ab_channel=DaveAitel
-dave
Recently I read this post from Maddie Stone of Google's Project Zero:
https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-re…
. In particular, it has a bolded line of "*As a community, our ability to
detect 0-days being used in the wild is severely lacking to the point that
we can’t draw significant conclusions due to the lack of (and biases in)
the data we have collected.*" which is the most honest thing I've read from
the defensive community in a long while. Like I feel like it's a good idea
to have as a reflexive habit the concept of "What am I looking directly at
that I'm not seeing."
As a kid I was obsessed with various elements of biology, despite not
having the grades to show for it. But as an adult I wish I could go back in
time and just blow my own mind with a few short things I've learned. Most
of them are obvious in retrospect, such as the following:
- Birds are dinosaurs
- Genes sometimes travel in-between species, carried by bacteria that
infect both of them
- 40% of all animals are parasites
- Metabolism (and cells) evolved before DNA
- Energy Epochs
<http://suvratk.blogspot.com/2017/07/olivia-judson-on-energy-expansions-of.h…>
are
useful predictive tools
I mean, for most people on this list the same thing is true for hacking.
For me these things might include:
- State tables are more important than memory handling
- Timing attacks are impossible to explain to people, so they never get
fixed
- Attack tools tend towards generics
- It doesn't matter if they catch you, if they won't ever do the
meta-analysis to put the larger picture together
-dave
A thousand years ago I subscribed to the Security Metrics mailing list.
Metrics are important - or rather, I think good decision making is
important, and without metrics your decision making is essentially luck.
But we haven't seen any progress on this in a decade, and I wanted to talk
about the meta-reason why: Oversimplification in the hopes of scaling.
There's a theme in security metrics, a deep Wrong, that the community
cannot correct, of trying to devolve features in their datasets to a single
number. CVSS is the most obvious example, but Sasha's VEP paper here (
https://www.lawfareblog.com/developing-objective-repeatable-scoring-system-…)
demonstrates most clearly the categorical example of the oversimplification
issue, one that all of FIRST has seemingly fallen into.
If I took all the paintings in the world, and ran them through a neural
network to score them 1.0 through 10.0, the resulting number would be, like
CVSS, useless. Right now on the Metrics mailing list someone is soliciting
for a survey where they ask people how they are using CVSS and how
useful it might be for them. But the more useful you think CVSS is for you,
the less useful it actually is being, since it can only lead you to wasting
the little security budget you have. *CVSS is the phrenology of security
metrics.* Being simple and easy to use does not make it helpful for
rational decision making.
If we want to make progress, we have to admit that we cannot join the
false-positive and false-negative and throughput numbers of our WAF in any
way. They must remain three different numbers. We can perhaps work on
visualizing or representing this information differently, but they're in
different dimensions and cannot be combined. The same is true for
vulnerabilities. The reason security managers are reaching for a yes/no "Is
there an exploit available" metric for patch prioritization is that CVSS
does not work, and won't ever work, and despite the sunk cost the community
has put into it, should be thrown out wholesale.
-dave
Today is my last day at Immunity. I don't know what to say about it that
everyone on this list doesn't already know or that isn't weighed down with
embarrassing secrets. At its best Immunity was a family, but also a machine
for producing absolute monsters, and not just in the technical arenas. Even
when it came to project management, we dropped people in the deep waters of
the Marianas Trench and expected them to build bioluminescence on the way
down.
Because of my history at the NSA, I always believed managers at Immunity
had to be as technical or more as anyone in their tree. This is less being
a manager than being a Dungeon Master but it's also the only way to grow
Ogres.
There's a scene in the West Wing when someone tells Donna that her job
can't be where she grows into a person, and she says, "Why Not? Why can't
it be that thing?" and for a lot of us at Immunity that rung true, with
kids and divorces and entire new career fields.
I sent one last email to the internal list, but at some level a lot of
Immunity is spread out amongst the stars and I wanted to thank everyone at
once. It was the honor of a lifetime to work beside you all. We did great
things together.
-dave
I wanted everyone to browse here and enjoy this Microsoft Teams
vulnerability: https://github.com/oskarsve/ms-teams-rce/blob/main/README.md
I also enjoy the discussion
<https://twitter.com/taviso/status/1336365194071535617?s=20> it has
engendered when it comes to how to measure vulnerabilities that are "in the
cloud" or via "Auto-update". It would be good to get clarity on these
things.
[image: image.png]
Measurement is the first step of something else: intermediate analysis. I
think we failed, as a community, when we accepted the premise that
vulnerabilities could be flattened down to simple numbers, CVSS scores, VEP
scores, whatever. Bugs are inherently complex and interlinked. Losing that
is losing their essence - you lose the ability to think coherently about
them.
But if you follow any set of scoring guidelines for vulnerabilities, and
the best ones are qualitative, like the Pwnie Awards, you know that even
though a massive amount of effort has gone into mitigation, assessment,
secure coding frameworks, education, and everything else that makes up the
meta-SDL, we are flooded with bugs. The mitigations aren't working. The
secure coding frameworks, aren't. For every bug we find and fix a dozen
more are written by the developers we thought we trained.
It is a natural response to try to hide from this knowledge of failure. To
cook the CVE numbers. To take refuge in our stock prices. Let's write
another blogpost about catching an APT and give it a funny insulting
nickname.
Unfortunately without intermediate analysis you cannot do higher level
strategy. And the treadmill of the information security technology arena is
beyond exhausting. An equally fast treadmill is running next to it for
security policy and legal policy and another one for incident response.
There's no intermediate analysis happening in any area, so we are left
making strategy choices by random chance or luck or the occasional
herculean effort.
-dave
https://twitter.com/JesseHeinig/status/1336913378564919297https://twitter.com/ClipperChip/status/1337289319988473856
People seem to think you can use etymology as some clue to deciphering the
cyberpunk and cyber philosophy in general. You can read a whole Thomas Rid
book
<https://www.amazon.com/Rise-Machines-Cybernetic-Thomas-Rid/dp/0393286002>
on it, and it's weird when people stress "Cybernetics" as if they've found
some long lost hieroglyphic clue when the reality of how everything cyber
evolved is staring right at them in flickering neon lights. As Hunter S.
Thomson said, "with the right kind of eyes you can go up onto the top floor
of any Silicon Valley building and you can almost see the high-water mark.
That place where the wave finally broke and rolled back."
When I was 20, working at the NSA, I once attended a cypherpunk meeting in
DC, with Diffie and others crowded into a brownstone somewhere in one of
the nicer parts of the city. The cypherpunk motto is very simple, "Privacy
is necessary for an open society in the electronic age. We cannot expect
governments, corporations, or other large, faceless organizations to grant
us privacy. We must defend our own privacy if we expect to have any.
Cypherpunks write code. We know that someone has to write software to
defend privacy, and we're going to write it."
At 20, in my larval stage, I was so socially awkward that it wrapped around
to blithe unfiltered ignorance. During introductions, when they asked me
where I worked and I said, "The DoD", they asked me why. I shrugged,
"'Cypherpunks write code', and there are are more at the NSA than you might
think." And people got over it - I pestered people with technical questions
later as I always do, and there were snacks. But everyone in that room was
a fighter, striving against an unspoken force on the field we now know as
cyber war.
Although no genre is "about" anything, to some extent Cyberpunk novels have
often had a keen awareness of analyzing what it means to be a human mind.
The new game Cyberpunk 2077 is an excellent adaptation of this theme, and
avoids playing the horrors of modern life for laughs - where GTA 5
leveraged its open world to poke fun at the system, and Red Dead Redemption
allowed you to marvel at the world despite its failures, Cyberpunk 2077
drops you into the scene in first person as a rollercoaster of existential
dread takes you on a fast paced journey into tasting every gritty
philosophical sandgrain of losing what it means to be a human, to have a
mind of your own.
William Gibson has said, "Science Fiction is never about the future. It's
always about the present." but he also said "The future is already here,
it's just unevenly distributed." And in the same sense that chemistry is
just really slow applied electromagnetism, Cyberpunk literature, and the
new game is exactly that, is a story about how some place's future,
Xinjiang's perhaps, is all of our futures. The way that brownstone living
room was, if you had the right kind of eyes.
-dave