"When we win, it is with small things, and the victory itself makes us small"

The video from the 44CON talk (A talk about (infosec) talks) we gave in September has been posted to YouTube.

You can grab the slides [here] | You can watch the video online [here]

Phish your company, before someone else does!

Today we are happy to release to the public: http://phish5.com

Simply, Phish5 is Phishing as a service. It allows a fairly unsophisticated user to phish users in her organization, quickly, easily and from the comfort of her own browser.

Why would we do this ?

In the past year, a host of high profile news organizations were phished, and then publicly spanked. The attack that compromised the AP's twitter account [Verge] even led to a visible dip on the Dow.

If you talk to security folks, they will quickly dismiss Phishing attacks with a trite: "Educate your users"
Unfortunately, in any reasonably sized organization, this is not a trivial task & learning requires constant reinforcement. Phish5 exists to help with this.

A super short registration process, and users can enter a list of victims, create phishing mails, create phishing pages and track results. The whole process should take less than 5 minutes!

Phish5 means that you can track peoples behaviour changing over time.
  • Is Edward from HR just not getting it? (He seems to have been phished in the last 2 campaigns). 
  • Why does Edna always login to fake OWA pages?
Phish5 makes running campaigns, and monitoring them trivial for just $99. From user registration, to a running campaign in under 5 minutes.. Give it a spin, and give us feedback.. Like it reads: "Built with love"

Introducing Consli, easy scheduling and feedback for conference organisers and attendees

The number of security conferences shows no signs of slowing down, feeding an ever-growing appetite for talks, presentations and content. If you're anything like us, both attending and speaking at conferences is part and parcel of your job, even if it's one event per year. In the absence of publication channels available in other disciplines such as good quality journals, security researchers have the option of blog posts, ezines such as Phrack, mailing lists or conferences. Many choose to go to conferences.

It's a source of regular wonder that computing/IT conferences are still so heavily paper-based. Your conference pack is typically a sheaf of papers that includes, at a minimum, a schedule and a set of feedback forms. They lead to a few headaches for both attendees and organisers.

  • Larger events have schedules where multiple talks happen in parallel. Planning my conference day involves circling talks I want to see, changing my mind, scratching out talks, circling others. This makes my physical schedule my actual planner, which is danger because;
  • I usually forget the schedule somewhere, or it's packed away in a backpack. Come the end of a coffee break, my schedule isn't accessible and I must either scratch through my bag, or borrow someone else's schedule or find a printed schedule stapled to a door. Of course, someone else's schedule is also their planner, and has to be handed back on pain of glaring looks.
  • For organisers, printed schedules are a pain. Shuffling the schedule is common, all it takes is one delayed flight or traffic jam. You're now left scrambling to inform everyone of the change. For the prepared organisers, this usually means further printed notices pasted around the venue, but oftentimes attendees are simply not informed about the change.
  • Feedback. How is it that cons so often rely on paper-based feedback? From experience, speaker feedback is useful to two groups: for organisers, it provides insight into the capabilities of speakers, and for speakers there is the obvious benefit in hearing what the audience thought of the presentation. However, paper-based feedback has a high amount of friction. Attendees don't tend to fill out feedback forms, and have to be repeatedly haranguedencouraged to do so. I suspect this is a combination of disinterest, a one-way feedback process, and having little incentive to supply feedback. Organisers also face friction in the printing, distributing, collecting, capturing and collating of feedback forms. What this leads to are situations where, at best, feedback is sent to speakers months after the event and, at worst, is simply discarded by organisers without ever being processed.
This past Wednesday and Thursday we trialled a webapp at HITB AMS that scratches these itches. It's designed for mobile devices and obviously runs in a regular browser, and its main capabilities enable organisers to maintain a conference site where attendees can create personal schedules, and provide feedback easily. Being a webapp, it's accessible across multiple platforms provided a recent browser is used. For organisers, the clear wins are easy schedule distribution and feedback, but there are a number of additional features that you might like, including the ability to broadcast notices to attendees, or provide giveaways to those who fill out feedback. Everything is controlled from an organiser dashboard.

We think it's pretty nifty and we call it Consli. It's open for beta.

If you're an organiser looking for a schedule and feedback system for your conference, we can help. Send a mail to signup@cons.li.

ThinkstScapes 2013-AH1: On the China report

The Mandiant APT1 report that was released a week ago has been causing some consternation, which makes it a ripe topic for our ThinkstScapes service. This morning, we issued an ad-hoc update to our customers containing our views of the APT1 report. In short, the data is interesting, but does not conclusively point to Unit 61938. There are too many open questions to justify the finger pointing.

Take, for example, the markers released for the APT1 group. The report does not contain sufficient data to replicate the grouping of attackers bearing those markers into a single cohesive unit. By Mandiant's own admission the presence of a single marker is insufficient to tag an attacker as APT1, but thresholds are not provided for the number of markers required. In the end, it appears as if the classification boils down to an analyst's opinion, metrics are absent the public report. The entire report is founded on the notion that APT1 exists and is definable; should this not be the case, the report's raison d'ĂȘtre evaporates. Corroboration is needed in the form of convincing evidence.

In addition, the conclusion that blames hacks supposedly originating from an area the size of Los Angeles on a military unit's building in same area is weak. In this regard, the press' use of the word "neighbourhood" to describe Pudong is misleading. Today's ad-hoc update examines these and other issues in greater detail, and extracts the bits we believe matter for corporates.

To be clear, we do not defend China or absolve it from hacking or espionage; we have little doubt that it conducts such operations as, presumably, do the US and other sufficiently resourced nations. Permit me to repeat this: we are not saying the Chinese government does not hack the US. Our concern is with this specific report; it is the first concrete public attribution of ongoing espionage against the US, and, if the report sets the standard for attribution, future events will be highly muddled as competing hypotheses all meet the low standard set out in Mandiant’s APT1 report. Unfortunately it seems that contrary opinions are being subjected to a level of diatribe usually reserved for arguments of faith, not facts.

Part of the problem is that there is appears to be an information differential, in which a number of folks with apparent non-public information are saying "it's totally legitimate", while those without the information are saying "this does not follow". Mandiant can help the APT1 debate by releasing more data to reduce this differential, specifically:
  1. Is there further evidence that ties the subset of observed IP ranges to the Unit 61398 Pudong building apart from a WHOIS record? (Note that the fibre infrastructure was provided by a different company than the listed owner of the IP ranges.)
  2. The number of attacks that would be classified as APT1, except for the fact that their sink address (e.g. HTRAN receiver) was NOT in Shanghai. What is the method for arriving at this conclusion? Phrased differently, how much weighting does a Shanghai IP address have in the APT1 cluster?
  3. A timestamped listing of known APT1 connections with their associated IP addresses, which would show us the activity levels of APT1.
  4. Metrics showing how many of the APT1 markers are shared with other groups under observation, and to what degree? (i.e. what is the overlap of domains, address blocks and malware hashes across the various groups?)
  5. How many more profiles of APT1 members were discovered, and what confidence does Mandiant hold in them? It seems strange that such a large group with such poor opsec has not leaked many more profiles.
  6. What is the mapping between APT1-associated domain names and IP addresses at the time of observation?
  7. What confidence level is assigned to the APT1⇿Unit 61938 link claim?
  8. By what reasoning does Mandiant eliminate an explanation for the attack pattern that argues for small non-government teams operating in a loosely connected fashion rather than a cohesive and directed group of operators with a common approach?
These debates are important going forward. Putting aside patriotism and pride, there are important questions which remain to be asked about the attribution of online attacks, and the danger in jumping to conclusions is that, when the shoe is on the other foot, equally weak claims are possible by an opponent. Hopefully any forthcoming additional data will settle these questions and we can get back to our regularly scheduled navel-gazing.

Your company's security posture is probably horrible (but it might be OK).

The past few years have provided us with a number of high profile hacks and data breaches. In 2010 Google famously announced that they were hacked and put out details on the compromise (later dubbed the Aurora incident). In the months that followed, it became clear that google were not the only Aurora victims. Companies in almost every sector from DuPont to Disney were also breached (but were less forthcoming on the details).

If these companies, widely lauded as having the brightest minds in their respective spaces were so publicly spanked, an obvious question raises its head?

Why wasn't yours?

Sadly two of the likeliest answers to this question are equally uncomfortable.
a) you haven't been compromised (yet) because people haven't bothered
b) your company has been compromised and you just don't know it

Brian Snow, former director of Information Assurance for the NSA said it best at a conference in Greece recently: "I’m here to tell you that your cyber systems continue to function and serve you not due to the expertise of your security staff but solely due to the sufferance of
your opponents".

Introducing.. Signalnoi.se

This post is about 6 months overdue, but we have been busy with a whole bunch of interesting projects (which always manages to dent blogging time.)

One of these projects, is http://signalnoi.se

We formed Thinkst to work on difficult, interesting problems, and while working on security problems for a well known media organisation, we bumped into (a surprisingly common) problem organisations have: failing to benefit from the available insights afforded by the real-time social media networks.

Signalnoi.se managed to win the Knight Fundation's News Challenge in 2012 (which we take as pretty good validation for the idea). If you have 3 minutes, checkout the video on the signalnoi.se page. It still shows version-1 of the interface (we have gotten all fancy since!) but should give you a good overview of the product.