Eurotrash Security Podcast

By
The guys over at the Eurotrash Information Security Podcast had me on last week. We discussed HBGary, Thinkst, ZaCon and a bunch of other stuff..

It was pretty enjoyable (although i tried listening to myself and think its a lucky thing i dont do this too often). You can grab it [here]

Comments

Post a Comment

Check out some of our other popular posts:

A “Safety Net” for AWS Canarytokens

By
Image
The AWS API Key Canarytoken (paid and free) is a great way to detect attackers who have compromised your infrastructure. The full details are in a previous blogpost , but in short:  You go to https://canarytokens.org and generate a set of valid AWS API credentials; Simply leave those in ~/.aws/config on a machine that's important to you Done! If that machine is ever breached, the sort of attackers who keep you up at night will look for AWS API credentials, and they will try them.  And when they do, we let you know that you’ve been breached. When you receive an email/SMS/Slack message letting you know that the AWS API key that you left only on BuildServer-7 in Server-room #12 just got used to login to AWS, you know you have a problem.  The underlying Canarytoken infrastructure relies on AWS APIs logging their own execution to CloudTrail. This lets us identify: which IP made the call; which API was executed (including both the service name and function); plus other details about
Read more

Sensitive Command Token - So much offense in my defense

By
Image
Introduction:  Many people have pointed out that there are a handful of commands that are overwhelmingly run by attackers on compromised hosts (and seldom ever by regular users/usage). Reliably alerting when a user on your code-sign server runs whoami.exe can mean the difference between catching a compromise in week-1 (before the attackers dig in) and learning about the attack on CNN. Introducing our new Sensitive Command Canarytoken. This quick/simple Canarytoken alerts you any time your chosen command is executed on a host.  For example: This token creates registry keys to alert you anytime whoami.exe runs on a host. If an attacker lands on the server and runs whoami.exe (as most attackers almost instinctively do) they get the results they expect. And you get an alert to let you know that something bad is afoot. Why this token? In nearly every ransomware report, we can see attackers running a series of predictable commands on endpoints.  https://thedfirreport.com/2022/08/08/bumblebee
Read more

Building WireGate: A WireGuard front to detect compromised keys

By
Image
Earlier this year we released our WireGuard Canarytoken . This allows you to add a “fake” wireguard VPN endpoint on your device in seconds. The idea is that if your device is compromised, a knowledgeable attacker is likely to enumerate VPN configurations and try connect to them. Our Canarytoken means that if this happens, you receive an alert. This can be useful at moments like national border crossings when devices can be seized and inspected out of sight. Using the WireGuard Canarytoken If all you want is to scatter a million of these WireGuard VPN configs across all devices you care about, there's no need to read this further: they’re now freely available from canarytokens.org for anyone to grab! (Paying Canary customers will already have seen these on your private Canary Consoles). But! If you’re interested in how we built these tokens and how they manage to work reliably and safely at scale, then this post is for you. Along the way we’ll cover some of our design choices and w
Read more