Month: September 2021

Attack of the cables

September 23, 2021 /

In last week’s article, I spent some time discussing the disadvantages of penetration testing. The main limiting factor for every red team is the client’s engagement policy. Usually, it is not comparable to a real-life attack. However, at the same time, some of the latest developments in the field are pretty disturbing and could be used by hackers for malicious activities.

One such gadget manufactured by Hak5 looks like an ordinary USB charging/data cable, but it comes equipped with the latest keylogging capabilities. Additionally, the cable supports the following features – Keystroke Injection with DuckyScript™, Keylogging (650,000 key storage), USB-C Smartphone & Tablet Keystroke Injection, Remote Access by WiFi, Customizable Self-Destruct, Multiple storage slots for large payloads, On-Boot payloads, Remote Trigger by WiFi (Geofencing), Long Range WiFi Trigger (2 KM+), Control from any Web Browser and Scriptable WebSocket. In short, that cable is a fully working micro-computer with remote access capabilities for loading payloads and executing them without the victim’s knowledge. As a bonus, it looks exactly like the standard USB to USB-C cable. They either offer versions for Macs.

A creative attacker can think of many uses of these cables. For example, they could ask you to lend them your cable and switch it with the malicious one. They can break into your home/office and swap the cables. They can load the whole supply of a computer shop with these cables and sell you one. The options are almost limitless. With that gadget, you virtually can not trust any cable or flash drive you buy from your hardware equipment supplier, neither your friends nor your family’s equipment.

On the diagram, you can see a sample diagram of how the cable works. It simply cheats the computer using it that it is an ordinary cable. Meanwhile, the hacker sends the payload using Wi-Fi and activates it

We could imagine that the next step for companies such as Hak5 is to embed a fully blown ADB build into the cable and enable remote penetration attacks versus smartphone devices. Such cable will be quite an exciting gadget and could encourage even more attack scenarios.

I have wondered why such equipment is not treated the same way as weapons for a long time. The relative easiness of manufacture and use of such gadgets make them more and more dangerous. Without regulations or even government-based permissions, more and more people will have access to them. What is the guarantee that they will not end in the hands of black hat hackers or criminals? Not to mention that every white or gray hat hacker could potentially go rogue and become a black one. What is the guarantee that such gadgets will not be used for malicious purposes even by licensed professionals?

In conclusion, penetration testing’s land space has become more and more concerning. Without a good set of regulations, we could soon see many people using military-grade hacking gadgets, turning the defensive part of cybersecurity into a terrible nightmare. In any case, many defenders will not be fascinated by the idea of wrapping their USB cables and flash drives with aluminum tape[1] every time they buy new hardware. Sure, it is a cheap way of blocking radio waves, but the aesthetics will not be on a high level.

[1] – https://emfacademy.com/aluminum-foil-emf-radiation/

Red team that

September 16, 2021 /

Red team exercises and penetration testing became our new reality. Especially with COVID-19 and the additional boost to digital transformation, we are more and more digitally dependant. Many countries have started legally enforcing business and governmental organizations to ensure better their cyber security defenses. And the best way to do that is to have regular penetration testing drills once or twice per year.

However, we should ask ourselves how effective is this practice and whether it provides a good level of security for our data and assets. To do that, let’s analyze what the usual workflow of doing a penetration test is. Every engagement in cybersecurity starts with a legal contract, which defines the rules of engagement. In this legal contract, the defending side, the client, negotiates the regulations with the attacking side, aka the penetration testing company. In the case of 3rd party requirements such as governmental and corporation integrations, the rules are defined by the 3rd party. They can even give you a list of “trusted” penetration testing companies from which you have to choose. For example, when we had to do a security audit for Google and Microsoft to allow our integrations, they provided the list of auditing partners we had to use.

On the diagram, you can see a standard Red Team drill workflow. The rules are usually not set by the attacking team

And here is one of the main problems with penetration testing – there are rules of engagement. In the Real Word scenario, there is no such thing as a set of rules. The dedicated attacker can do whatever is necessary to penetrate your defenses, and he/she will not abide by the law. Comparison to conventional military drills is not practical but could even be harmful to your team’s attitude. It is much better to compare the attacker modus operandi to what guerilla fighters do, such as asymmetric warfare, without rules, requirements, etc. Attackers will do what is necessary to penetrate you no more or less.

The second problem with penetration tests is that the attacking team usually has limited time to penetrate your organization. The whole economy around red teaming is based on projects between two weeks and two months long. After that, the attacking team must go to the next assignment. In comparison, real-world hacker teams are usually part of criminal syndicates, and these criminal syndicates have other sources of income such as human trafficking, prostitution, drugs, and weapons. They can happily try to hack one organization for a year or more, especially if it is a big enough target.

And last, but not least – different motivation. In the red team case, the motivation is to abide by a requirement or by law. It means that the penetration team will ensure that the system passes the requirements and rarely will do more. When we speak about real hacker groups, usually we have a pretty limited set of motivation types – money and personal vendetta. Both of these are much higher on the motivation scale than a simple requirement fulfillment.

In conclusion, penetration testing is a helpful activity; however, it is not a panacea. The results coming from it gives a piece of information for your organization’s current cybersecurity state. Unfortunately, the limited scope of every penetration test will not give you a 100% guarantee that attackers can not destroy your defenses. It is much better to treat the red teaming as part of our cybersecurity strategy and valuable security tools.

Game of loans

September 8, 2021 /

In my article on start-up unicorns, I already presented how most start-ups finance their operations and how efficient this way of work is. This article will show how companies and wealthy individuals finance their operations once they reach unicorn status and have already managed to execute a successful IPO or ICO.

But before explaining the financial workflow, let’s analyze what an IPO is and how it integrates with the standard capitalism-based system. At its core, IPO operates the same way as every ordinary bank. People trust the company doing IPO and are willing to buy common stocks of this company. Additionally, let’s analyze a little bit how banks evaluate a given company to calculate its value. Usually, it is a combination of all of its assets, including the common stocks from the stock exchange. So far, so good; however, the stock exchange evaluation rules are pretty exciting. More specifically, the rule of how the end-of-day price calculation is done. It is based on the amount of money an individual is willing to pay for a given stock. And here is the part that must bother us – one big chunk of a given company evaluation is entirely based on people’s trust in the company. It is not based on any real-life assets such as gold, art, or real estate. It is entirely based on faith. We can even safely assume that we ll are living in a trust-based economy.

On the diagram, you can see a standard way of how wealthy individuals finance their operations. They use the IPO/ICO to increase their liquidity and apply for a loan after that

But let’s go back to loans – how do we calculate the personal wealth of people. The answer is a simple one. The same way banks calculate the evaluation of a company – aka based on all personal assets, including stocks. When wealthy individuals decide to buy something or invest in something, they have two ways of doing that – to sell assets or to get a loan.

Usually, most of them are willing to get a loan based on the current evaluation of their stocks and payback later. However, to give the loan, the bank does the review based on the willingness of someone to buy the stocks at a given price. In traditional banking, this usually triggers the central banks to issue a new amount of the local currency to provide the bank with the amount of money necessary to give the loan. So, in short, every time the bank provides a loan based on stocks, we pump new money into the system and lower down the buying power of everyone attached to the local currency.

In conclusion, most wealthy individuals prefer to finance their operations using loans instead of selling stocks at the current value. However, getting a loan increases inflation because the central banks have to issue new money to fund these loans. Another question is how much is the buying power of our modern billionaires compared to the ones in the past. For sure, most of them can not afford to finance the operations of over 1000 public libraries with their own money.

Five mistakes to avoid when building your startup

September 2, 2021 /

For almost 18 years, I have been working in product-based Start-Ups. During this time, I have seen a fantastic range of mistakes made during virtually every stage of their lifecycle. This range starts with something small, such as wrong employees’ computer equipment and massive investments in expensive server equipment or shady marketing agencies. However, I can categorize five mistakes as showstoppers for every Start-Up. They can instantly kill your company:

  • No business need: Unfortunately, many companies start developing a product without proper business research. I have done that at least five times in my professional journey. However, creating a technical product without adequate business verification is the number one reason for a Start-Up failure.
  • Erroneous business team: As we speak about business, many entrepreneurs and investors follow the “A player” hiring mantra. The business development teams in the Start-Ups I was part of were with quite mixed backgrounds (including people from Harvard and St. Gallen). And still, the results were mixed. You will need the team, which can do the job for you, but not the team with the flashiest CVs.
On the diagram, you can see a standard distribution of the mistakes made in one start-up. The most significant percentage is always for no business need
  • Erroneous technical team: Absolutely the same as the previous point, but for your technical team structure. I have worked with people from different backgrounds (including people from companies such as Google, Facebook, Twitter, Amazon, etc.). Again the results were quite mixed. I cannot deduce a trend where the more prominent the background is, the better. The only trend I could figure was that your team needs the right attitude.
  • Not enough team compensation: Many entrepreneurs think they must take a big part of the equity pie after giving the money and the idea. However, this kind of thinking is wrong. Ideas and money are nothing without proper execution. And if you cannot motivate your team to execute, this is quite an excellent way to shoot yourself in the foot.
  • Aiming too high: Many Start-Ups aim too high in terms of customers. However, this is quite a harmful strategy, bearing in mind that big companies’ decision-making process is notoriously slow. Better start small and acquire a pool of smaller customers and then scale (ideally, you can bootstrap this part and take funding only for marketing and scaling). Using this strategy, you achieve two things – traction and early verification. Hunting deers and elephants[1][2] can come on the next iteration.

In conclusion, building Start-Ups is hard. Almost 95%[3][4] of the Start-Ups fail during the first 2-3 years of their lifeline. Keeping in mind that people around the World start over 100M new Start-Ups every year, this is a sad statement. The listed five mistakes and given that the average Start-Up founder comes with a huge ego are a recipe for trouble. Leaving you with a thought  – you can print new money, but you cannot issue new brains. Please treat your team well.

[1] – https://www.slideshare.net/theproductguy/elephants-deer-rabbits-choosing-the-right-customer-for-your-products

[2] – https://kimtasso.com/selling-basics-targeting-with-rabbits-deer-and-elephants-video/

[3] – https://www.investopedia.com/articles/personal-finance/040915/how-many-startups-fail-and-why.asp

[4] – https://medium.com/journal-of-empirical-entrepreneurship/dissecting-startup-failure-by-stage-34bb70354a36

Cybersecurity tactics for small teams – Hardware Device Security – part 1

September 1, 2021 /

Please check the previous part – here.

After we already discussed how to assure your physical security and your network perimeter. The topic for the following two parts is the security of your hardware devices. And especially, I shall give you some ideas on how to secure your personal computer and your mobile phone. I shall provide a sample budget for a security-oriented personal computer, laptop, and mobile phone at the end of the parts. In the budget, I shall put the software appliances as well.

But before doing this, let’s have a short discussion of what a computer is and how we use it. The formal definition of a computer is:

A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations automatically. Modern computers can perform generic sets of operations known as programs. These programs enable computers to perform a wide range of tasks.

In other words, we have a machine, which works with data and can perform operations on it. It is similar to what our brains do for us but in a different way. In terms of computer security, it is essential to understand that your computer is a data carrier and data generator. The goal of your security awareness model is to protect the data and the generator logic. So we have to treat our computers the same way we treat our brains when we don’t want to share data. Aka by making sure we took all the necessary steps to secure access to our information.

So let’s do it. We start with:

Personal Computer/Laptop

We shall discuss the security of laptop computer because it has a more significant amount of attack vectors. We can apply the same list of attacks to workstations.

By definition – A laptop, laptop computer, or notebook computer is a small, portable personal computer (PC) with a screen and alphanumeric keyboard. It is important to note that a laptop is a total nightmare for your computer security policy in the physical security realm. It inherits the traits of all the hardware devices, including the ones related to garbage. Securing laptops is almost impossible, and a dedicated attacker most probably will manage to penetrate the defenses of your laptop one way or another. But let’s list the different attack vectors your laptop has.

On the diagram, you can see a standard data exfiltration workflow. The attacker makes the victim network sending data to a malicious service and, after that, reroute the data to his/her infrastructure
  • Theft: By being mobile, any laptop is a mobile data carrier similar to your paper documents and USB flash sticks. And by that, a dedicated attacker can steal the computer and gain access to your data. It is essential to mention that any encryption mechanism can slow down your attacker, but you can not determine whether it will stop him.
  • Location-based attacks: Companies such as Hak5 promote an exciting set of tools used for location-based attacks. They can penetrate your WiFi network, and even there are devices named RubberDucky. They look like a standard USB flash, but essentially they are cheating your computer that they are keyboard devices and execute a penetration script.
  • Malware: There are many types of malware, but these are most dangerous in terms of cybersecurity: trojan horses and ransomware. Both of them steal your data. In case of ransomware, you have to pay, and at least you receive notification that something wrong happened. In the case of trojan horses, you have no idea what is going on with your data.
  • Misconfiguration: Most of the laptops do not come with proper security configuration by default. Users without formal training can not configure the system, and it remains unsafe until a hacker penetrates it.
  • Pirated Software: Torrent trackers are a terrible place to download software. Usually, the cracked versions of the popular software come with already preinstalled malware. It is highly advisable to use open source or paid products.

Listed threats are only part of a long list of attack vectors an organization must take care of. Still, they are a good starting point, and if your small team manages to stop them, it can reach a good cybersecurity level.

Smartphones

After the introduction of IBM Simon, the smartphone industry had rapid growth. These days, devices are as powerful as a ten-year-old computer and can perform various tasks, which people kept only for computers for a long time. It is fantastic, but they are even worse in terms of cybersecurity than your laptop. They inherit all of your laptop’s problems with even smaller size and limited control over the hardware. They are a nightmare in terms of computer security. But let me list the different attack vectors which your smartphone can introduce:

  • Outdated Operating System: To further push technical progress, hardware vendors usually discount older than four years old devices. And by discount, it means that these devices do not receive security patches and the latest version of their operating system. This approach leaves thousand of people without proper cybersecurity defenses.
  • Laptop Attack Vectors: As a less powerful computer, every smartphone inherits a laptop’s security problems. Even worse, once you store your data in your smartphone’s internal memory, it is almost impossible to erase it securely.
  • Conversation Sniffing: Hackers can use your smartphone to sniff your daily conversations by being constantly held near to you. Many hardware vendors implement security measures versus this kind of attack, but people must still be aware that such an attack is possible.

Next part is here