All posts by Michael Buckbee

[Podcast] Manifesting Chaos or a Security Risk?

[Podcast] Manifesting Chaos or a Security Risk?

Leave a review for our podcast & we'll send you a pack of infosec cards.


Regular listeners of the Inside Out Security podcast know that our panelists can’t agree on much. Well, when bold allegations that IT is the most problematic department in an organization can be, ahem, controversial.

But whether you love or hate IT, we can’t deny that technology has made significant contributions to our lives. For instance, grocery stores are now using a system, order-to-shelf, to reduce food waste. There are apps to help drivers find alternate routes if they’re faced with a crowded freeway. Both examples are wonderful use cases, but also have had unforeseen side effects.

Even though profits are up, empty aisles at grocery stores are frustrating shoppers as well as employees. Quiet neighborhoods that became alternate routes are experiencing traffic due to a new influx of drivers as well as noise pollution.

When there are unforeseen consequences from a technological improvement, are we manifesting chaos or a security risk?

Other articles discussed:

Tool of the week: Pown Proxy

Panelists: Kilian Englert, Mike Buckbee, Matt Radolec

How to use PowerShell Objects and Data Piping

How to use PowerShell Objects and Data Piping

This article is a text version of a lesson from our PowerShell and Active Directory Essentials video course (use code ‘blog’ for free access).

The course has proven to be really popular as it walks you through creating a full Active Directory management utility from first principles.

What makes a PowerShell Object?

If there’s one thing you fundamental difference between PowerShell and other scripting languages that have come before, it’s PowerShell’s default use of Objects (structured data) instead of plain strings (undifferentiated blobs of data).

Consider something like a car. It has:

  • Colors
  • Doors
  • Lights
  • Wheels

These items that describe this particular object are called properties. Your car can also do things, it can turn left and right, it can move forward and back – these are the methods of the object.

Properties: the aspects and details of the object.
Methods: actions the object can perform.

What’s the PowerShell Pipeline?

PowerShell was inspired by many of the great ideas that make up “The Unix Philosophy” – most notable for us today are two points:

  1. Make each program do one thing well. To do a new job, build afresh rather than complicate old programs by adding new “features”.
  2. Expect the output of every program to become the input to another, as yet unknown, program. Don’t clutter output with extraneous information. Avoid stringently columnar or binary input formats. Don’t insist on interactive input.

In practice, what these somewhat abstract points of philosophy mean is that you should create lots of small, purposeful PowerShell scripts that each do a particular task. Every time you go to put an If/Else, another flag, another bit of branching logic, you should ask yourself: “Would this be better as a separate script?”

An example: don’t make a script that downloads a file and then parses the downloaded data. Make two scripts:

  1. One that downloads the data – download.ps
  2. A second that handles parsing the data into something usable – parse.ps

To get the data from the download.ps to parse.ps you would “pipe” the data in between the two scripts.

How to find the Properties and Methods of a PowerShell Object

There are way too many aspects of even the simplest object in PowerShell to remember. You need a way to interactively find out what each object you encounter can do as you’re writing your scripts can do.

The command you’ll need to do this is Get-Member cmdlet provided by Microsoft.

How To Use Get-Member

Get-Member
   [[-Name] ]
   [-Force]
   [-InputObject ]
   [-MemberType ]
   [-Static]
   [-View ]
   []

Get-Member helps reinforce an idea that I had a lot of difficulty grappling with in moving from bash to PowerShell scripting, that everything (literally everything) in PowerShell is an object. Let’s take a really simple example:

1. Use the Write-Output cmdlet to write some info into our PowerShell console.

Write-Output ‘Hello, World’

2. Assign that output to a variable called $string

$string = Write-Output `Hello, World`

3. Pipe the $string variable (That contains ‘Hello, World’) to the Get-Member cmdlet

$string | Get-Member

You’ll get some output that looks like the screenshot below:

A list of properties and methods for this Object of type String. As the underlying data of the object changes so changes the responses of the methods and properties.

Some examples:

A string object of “Hello, World” has a length (property) of 13
A string object of “Hello, People of Earth!” has a length of 24

Calling Methods and Properties with Dot Notation

All of the Methods and Properties of an Object need to be called with a type of syntax called “Dot Notation” which is just a fancy way of saying:

OBJECT.PROPERTY

Some examples:

$string.Length
13

Methods are invoked in the say way, but parentheses are added.

$string.ToUpper()
HELLO, WORLD!

$string.ToLower()
hello, world!

Both of these methods don’t take any “arguments” – additional commands passed in as parameters within the parentheses.

$string.Replace(‘hello’,’goodbye’)
Goodbye, world!

The Replace method does, the first argument is what you’re looking for in the string ‘hello’ and the second is what you’d like to replace it with.

How to Make our Own PowerShell Objects

Our $string variable that we created was of Type System.String – but what if we wanted to create our own type of object instead of relying upon the built-in types?

1. Create HashTable

A hash table is a Key + Value datastore where each ‘key’ corresponds to a value. If you’ve ever been given an employee number at a job or had to fill out a timesheet with codes given to each company you’ll be familiar with the concept.

$hashtable = @{ Color = ‘Red’; Transmission = ‘Automatic’; Convertible = $false}

If you pipe this to Get-Member you’ll now get a different listing of methods and properties because it’s a different Type (it’s System.Collections.Hashtable instead of System.String).

2. Creating a PowerShell Custom Object

To transform this from a hashtable to a full-blown PowerShell Object, we’ll use what’s called a “type accelerator” -> pscustomobject – [pscustomobject]$hashtable

When we run this and compare the results to what we have previously with Get-Member you’ll notice a wild difference. Gone are the generic methods and properties of a hashtable and instead are the properties that you had specified (Color, Transmission and whether or not it was a Convertible).

Getting Into the Pipeline

Some people get really hung up on what’s the difference between a script and an application. In general, scripts are small and do one very concise action. Applications are large (comparatively) and bundle together tons of features.

Consider the approach to exposing functionality in Microsoft Word versus how similar features would be presented as a series of scripts.

In Word, the word count is continually displayed in the status bar at the bottom of the editing window.

You can click it and get more detailed statistics (one of the many thousands of features in Microsoft Word).

In PowerShell scripting you’d use two separate cmdlets to achieve this functionality:

Get-Content will import a text file as an object (everything in PowerShell is an object) and Measure-Object will then collect statistics about that object for us.

Putting it together you’d have:

Get-Content c:\documents\myfile.txt | Measure-Object -word

The `|` character in between the two commands is the “pipe” which indicates that instead of displaying the output of the Get-Content command in the PowerShell command window, it should instead pass that data to the next script (the Measure-Object cmdlet).

Now, you might be looking at this example and thinking to yourself: “That’s a very convoluted way to finding out how many words are in a file” and you wouldn’t be wrong, But the important thing to consider is that the scripting doesn’t “care” what comes before the pipe.

Instead of importing a single file, maybe we’re writing a novel with 60 different chapters (one chapter per file), we could concatenate all of those files together and pipe the result to Measure-Object and get a word count for the whole book in one go.

How to Use the Pipeline

As a more practical example of using piping for sysadmin tasks, let us try to find and restart a service with PowerShell.

For this, we’re going to be using two cmdlets:

To start, we can walk through the steps as if we were doing everything manually.

First, let’s look for the Windows Audio Service

Get-Service -Name audiosrv

If you’re in PowerShell (look for the PS prompt) – you should get something that looks like:

And having found the service is present, we could then restart it.

Restart-Service -Name audiosrv

If we’re using pipelines, we could instead pipe the entire object into the Restart-Service cmdlet.

Get-Service -Name audiosrv | Restart-Service

The above is functionally the same but happens as a single command

To extend this further, we can use the -PassThru command to keep passing the input object through each script.

Get-Service -Name audiosrv | Restart-Service -PassThru | Stop-Service

Through this, we’re able to apply a number of command to the same initial object.

Now for a more real-world example.

Pinging a Collection of Computers with PowerShell

To start, we have a number of computer hostnames (one per line) in a text file.

Your first instinct might be to try and directly pass the file to the Test-Connection cmdlet, like:

Get-Content -Path C:\Example.txt | Test-Connection

However, we still need to be cognizant of what type of object is being passed. The above is passing in the file as if it was a chapter in a book, it’s not sure what to do with it. We need to first format the file data into the expected format.

To figure that out, we turn to the Get-Help cmdlet

Get-Help -Name Test-Connection -Full

“Full” indicates that the parameter listings should include not just the names and usage, but also whether or not they accept pipeline input, and if they do, what format.

In the above screenshot, you can see the “Accept pipeline input?” is True and indicates that it accepts input via a Property Name (instead of an object).

The following will extract each line of the input file and transform it via the pscustomobject command into a property name (as required by the Test-Connection cmdlet.

Get-Content -Path C:\Example.txt | ForEach-Object { [pscustomobject]@{ComputerName = $PSItem} } | Test-Connection

Next Steps with PowerShell

Want to learn more? Use unlock code ‘blog’ for free access to the full PowerShell and Active Directory Essentials video course.

How To Get Started with PowerShell and Active Directory Scripting

How To Get Started with PowerShell and Active Directory Scripting

Build a Full PowerShell Utility

This article is a text version of a lesson from our PowerShell and Active Directory Essentials video course (use code ‘blog’ for free access).

The course has proven to be really popular as it walks you through creating a full Active Directory management utility from first principles.

Coding With PowerShell

It can be hard to get started with PowerShell, especially if over the years you’ve become accustomed to working with the cmd.exe command line or batch files. In this article (based on Lesson 2 of our PowerShell and Active Directory course), we’ll cover how and why you should upgrade your skills to PowerShell and the fundamentals of launching the PowerShell editor, command completion and how to get always up to date help and examples.

Running Commands

The PowerShell console is an interactive console that enables you to run various commands in real time. There’s no need to edit a script in Notepad and then run it separately, a big time saver.

If you’re in any organization that’s been around for any length of time, you’ve probably already got some smaller scripts, bat files, or procedures that you run from the cmd.exe command line. Great news! You can invoke all of that from with PowerShell, this was a deep design decision on the part of Microsoft as they were trying to make the transition as easy as possible for sysadmins.

In appearance, the PowerShell editor looks and functions just like the cmd.exe command prompt environment. The utilities and skills you already know will work within PowerShell right now with no modification. If you’re working on making the transition from one-off tasks to enabling a more automated network, getting in the habit of firing up PowerShell instead of the command prompt is a good way to start.

All of your often used utilities like ping, ipconfig, dir, etc will all work exactly as you’ve come to expect.

How to Find PowerShell Commands

People love PowerShell because it’s so, well, powerful. But that power comes from an absolutely insane amount of complexity. It’s just not feasible or practical for someone to memorize all of the different commands, cmdlets, flags, filters and other ways of telling PowerShell what to do.

Thankfully, built right into the editor are multiple tools to help you deal with this fact.

Tab Completion

There’s no need to memorize all of the different commands or exact spelling of a command. Type

get-c

Into the editor and hit the TAB key – you’ll cycle through all the commands beginning with what you had input so far. This works at any section of the command you’re trying to invoke, the name (as shown below), but also flags and paths that you’re manipulating to get your desired outcome.

Get-Command

While tab completion works well, what happens if you don’t know the name of the command you’re looking for? In that case, you’d use a command for finding other commands: Get-Command.

In searching for commands, it’s important to keep in mind that there’s a syntax to them: VERB-NOUN. Typically the verbs are things like Get, Set, Add, Clear, Write and Read and the Nouns are the files, servers, or other items within your network and applications.

Get-Command is a discovery tool for exploring the commands available on your system.

PowerShell’s Command Syntax

Someone once described the Perl scripting language as looking like “executable line noise” – an incredibly useful tool with a wildly opaque syntax and a correspondingly high learning curve.

While not quite to that level the traditional command prompt in Windows isn’t too far off. Consider a common task like finding all the items in a directory whose names start with the string ‘Foo’.

CMD: FOR /D /r %G in (“Foo*”) DO @Echo %G

FOR and DO indicate that it’s a loop.
The /D flag indicates this is for Directories
The /r flag indicates that “Files Rooted at Path”
The pattern that defines the set of files to be looped over is designated with “in”
@Echo instructs the script to write out the result of each loop and finally
%G is the “implicit parameter” and is chosen because earlier developers had already used the pathname format letters a, d, f, n, p, s, t, and x. So, starting with G is traditional as it gives you the largest set of unused letters for returned variables ( G, H, I, J, K, L, M) – in other words, it’s an ugly hack.

Compare that to the PowerShell equivalent:

PowerShell: Get-ChildItem -Path C:\Example -Filter ‘Foo*’

The output’s functionally the same, but even in this fairly trivial example, it’s much much easier to understand what’s happening. It’s immediately obvious what all the elements in the command do and how you could modify them. The only slightly non-obvious thing here is the * wildcard character (present in both examples) which indicates that the pattern used to match items should start with ‘Foo’ and end in anything else.

It just keeps getting better from here as say you want to know how to identify just files (not directories) in the path? You could dig up the docs, Google around and try to sort that out with the command line version, or if you’re in PowerShell, type “-” and hit the tab key, rolling through the flag options until the obvious solution shows up.

One Big String vs Object Properties

Servers are no good to anyone if they’re not online. Which is why people spend an inordinate amount of time pretending they’re sonar operators on a submarine and ping’ing them (yes, that’s actually why it’s named that – https://en.wikipedia.org/wiki/Ping_(networking_utility)

While the output from ping is useful (and you can use ping within PowerShell), at the end of the day the output is just a big string – a series of letter and number characters with no defined breaks between them).

PowerShell has a command that’s analogous to ping, but that returns data that’s structured, making it easy to work with. That command is Test-Connection.

Below you can see the output of pinging a server (named ‘DC’ on their local network) and the equivalent Test-Connection output.

Putting aside that it’s easier to read, what’s really important is that you can now pass this information off to another command, incorporate it into a larger utility (as this full course is working towards) or just tweak it so that it makes more sense.

Geting Help System

Up to now, we’ve focused on how to manipulate a particular command as you’re in the middle of it (via tab completion), but as you start doing more and more with PowerShell, the commands become more complex with even more complex options. While the Verb-Noun syntax helps, what helps, even more, is having:

1. Up to date documentation
2. Lots of examples

CmdLet Help

In practice, you should combine Get-Command (to find what to use) and then use Get-Help to find out how to use that particular command.

A practical example of how to do this: suppose you need to identify all the running Windows Services on a machine.

You would start by looking for commands for service interaction:

Get-Command service

Which would tell you at a glance that you were on the right track. Thinking back to the standard Verb-Noun syntax of PowerShell commands, you want to investigate how to properly use ‘Get-Service’.

MicroSoft’s Office Get-Service Documentation

For this, you’d use a new command ‘Get-Help’. Start by typing

“Get-Help -” and hit the Tab key

You’ll quickly find the available options, the most obviously suitable one being “-Name”, so you’d try:

Get-Help -Name Get-Service

Immediately you get the full Syntax (and that you can include or exclude names based on filters).

If you wanted to deep dive into a particular aspect of the command you can drill down further with Get-Help, including each parameter

Get-Help -Name Get-Service - Parameter Name

PowerShell Help Examples

Because we’re all humans reading this (no offense Google bot), we have the same mental hurdles to overcome with respect to pattern recognition and translating abstract command syntaxes into what we should actually type to accomplish what we need to get through the day.

By entering in “-examples” or included with the “-detail” flag for Get-Help, you’ll be presented with a set of examples for using the command.

Here is the output for:

Get-Help -Name Get-Service -Examples

Staying Up To Date

Nothing is more frustrating than entering in exactly what an example says you should, only to have it not work as documented. Often this is caused by out of date documentation, bad examples, or updated libraries.

Sidestep these frustrations as well as get new examples and fixes with the

update-help

Command. you’ll start the download process.

Next Steps with PowerShell

Want to learn more? Use unlock code ‘blog’ for free access to the full PowerShell and Active Directory Essentials video course.

Have I Been 2 Testify Before Congress

Have I Been 2 Testify Before Congress

Troy Hunt, creator of HaveIBeenPwned and Varonis partner – testified before the US Congress to talk about data breaches and cybersecurity: he gave context and recommendations about the recent spate of massive data breaches, and what Congress can do to help protect both the privacy and digital assets of its citizens.

This testimony couldn’t have come at a better time – just as it came to light that a previously undisclosed Uber data breach had leaked 57 million driver and rider accounts. It underscores that today, data breaches are an ever-present threat that even top tech companies struggle to contain.

You can read Troy’s full prepared statement here – https://www.troyhunt.com/heres-what-im-telling-us-congress-about-data-breaches/

The hearing (and Troy’s comments) focused on digital identity verification as a means of lessening the impact of a data breach – here’s a quick rundown of some of the highlights:

Data Breaches

  • Are caused by a variety of configuration and malicious factors.
  • Have become more of an issue as data storage prices have fallen, encouraging a “data hoarder” mentality.
  • Often aren’t even known to have occurred until years after the fact.
  • Are aggressively traded by groups wanting to use the credentials for purposes of identity theft, spam, and spear phishing attacks.

Data Breach Vectors

  • There’s no agreed upon definition of what exactly constitutes a data breach – and “data breach” itself is a catch-all term for a variety of different types of incidents where an organization has lost control of the data they have been entrusted with.
  • The rising ubiquity, low cost and inherent connectivity of cloud-based data storage services have contributed to more data breaches occurring. See How to Better Structure AWS S3 Security
  • A single firewall rule or one relatively minor permissions change can inadvertently expose the entirety of an organization’s data to the Internet.

On Data Breach Timing

  • Several breaches dominated the news at the same time as the hearing – Uber’s massive cover-up of a previously undisclosed leak, and the image sharing social network Imgur discovered evidence of a breach that had occurred back in 2014.
  • There’s an important distinction between the timing of the data breach itself and the public disclosure of that breach.
  • Data Breach disclosures often happen years after the fact – due to a mix of not knowing and deliberate choice.

The now growing banality of data breaches and their (relatively) low outward cost to organizations is coming to a point with potential legislation like the upcoming EU General Data Protection Regulation (GDPR).

While there aren’t domestic general data privacy regulations (as opposed to class-based data protections like HIPPA), there is a mismatch of state by state data protection legislation that are already in effect.



Much of the focus of this legislation is around financial and identity data – a common clause is that if certain numbers records are released that Credit Card Reporting Agencies must be contacted, users notified by various means, etc.

In Europe, the – solutions.varonis.com/gdpr – GDPR is going to go into effect on May 25th 2018. The regulations cover EU citizen data held globally (affecting US organizations as well) and impose significant penalties for companies who violate those data protection provisions.

The GDPR is a huge step towards regulating data protection and making it law that organizations should implement a standard of data security. We even made a course with Troy Hunt to walk through everything you need to know about GDPR, the GDPR Attack Plan (use code ‘troy’ to unlock the course) at https://info.varonis.com/gdpr-attack-plan?unlock_code=troy

While the testimony of one lone Australian Infosec practitioner is not going to singlehandedly solve the data breach problems plaguing the world, it represents a solid and serious step towards better understanding the problem and taking action on the part of the US Congress.

[Podcast] Security and Privacy Concerns with Chatbots, Trackers, and more

[Podcast] Security and Privacy Concerns with Chatbots, Trackers, and more

Leave a review for our podcast & we'll send you a pack of infosec cards.


The end of the year is approaching and security pros are making their predictions for 2018 and beyond. So are we! This week, our security practitioners predicted items that will become obsolete because of IoT devices. Some of their guesses – remote controls, service workers, and personal cars.

Meanwhile, as the business world phase out old technologies, some are embracing the use of new ones. For instance, many organizations today use chatbots. Yes, they’ll help improve customer service. But some are worried that when financial institutions embrace chatbots to facilitate payments, cyber criminals will see it as an opportunity to impersonate users and take over their accounts.

And what about trackers found in apps bundled with DNA testing kits? From a developer’s perspective, all the trackers help improve the usability of an app, but does that mean we’ll be sacrificing security and privacy?

Other articles discussed:

  • Australia government consider allowing firms to buy facial recognition data
  • Replay scripts to track cursor

Tool of the Week: Sword

Panelists: Kilian Englert, Kris Keyser, Mike Buckbee

[Podcast] The Challenges and Promise of Digital Drugs

[Podcast] The Challenges and Promise of Digital Drugs

Leave a review for our podcast & we'll send you a pack of infosec cards.


Recently the Food and Drug Administration approved the first digital pill. This means that medicine embedded with a sensor can tell health care providers – doctors and individuals the patient approves – if the patient takes his medication. The promise is huge. It will ensure a better health outcome for the patient, giving caretakers more time with the ones they love. What’s more, by learning more about how a drug interacts with a human system, researchers might find a way to prevent illnesses that was once believed impossible to cure. However, as security pros there are some in the industry that believe that the potential for abuse might overshadow the promise of what could be.

Other articles discussed:

Tool of the week: Quad9

Panelists: Mike Thompson, Kilian Englert, Mike Buckbee

[Podcast] Bring Back Dedicated and Local Security Teams

[Podcast] Bring Back Dedicated and Local Security Teams

Leave a review for our podcast & we'll send you a pack of infosec cards.


Last week, I came across a tweet that asked how a normal user is supposed to make an informed decision when a security alert shows up on his screen. Great question!

I found a possible answer to that question at New York Times director of infosecurity, Runa Sandvik’s recent keynote at the O’Reilly Security Conference.

She told the attendees that many moons ago, Yahoo had three types of infosecurity departments: core, dedicated and local.

Core was the primary infosec department. The dedicated group were subject matter experts on security, still on the infosec department, but worked with other teams to help them conduct their activities in a secure way. The security pros on the local group are not officially on the infosec department, but they’re the security experts on another team.

Who knew that once upon a time dedicated and local security teams existed?! It would make natural sense that they would be the ones to assist end users on security questions, why don’t we bring them back? The short answer: it’s not so simple.

Other articles discussed:

Panelists: Kilian Englert, Forrest Temple, Matt Radolec

5 Last Minute Halloween Costume Ideas for IT

5 Last Minute Halloween Costume Ideas for IT

We’ve all been there. Late night. Cold as a witch’s tomb. Deep within the catacombs of the Datacenter. You hear a loud noise and are relieved when it turns out to be a demonic entity from an alternate plane of existence forcing itself into our world and not something genuinely frightening like a RAID enclosure seizing up or a rack toppling over.

But this can only mean one thing: it’s Halloween and here you are without a costume. Varonis is here to help with some last minute costume ideas for the IT professional.

1. Locky Ransomware

Great art comes from a place deep within, just like when in the cinematic tour de force “Suicide Squad”, Jared Leto brought the crazy energy of the Joker to life by leaving dead rats around the set and plotting future visits to Hot Topic to flesh out his character.

Costume Items

  • Combination Locks
  • Bike Chains
  • Mirror (to practice saying: “Yeah! Yeah! Super Weird! Who Would Do Such A Thing!” without flop sweating in).

Directions

Method act your way into being the Locky Ransomware Virus by chaining shut file cabinets, the office fridge and the “good” office bathroom (You know the one? One floor down on the level where sales used to be?).

Be sure to leave a Post It at each location stating that you’ll remove the locks once .2 BTC is deposited in your wallet.

2. Blad the Crimper

Cruelly overlooked by history and eclipsed by his more famous cousin (Vlad the Impaler). Blad is fighting against a society that won’t let him create cables the length that he wants and he’ll stop at nothing to make that happen.

Costume Items:

  • Crimping Tool
  • Dictionary to prove to people that you didn’t just make up the word “crimping”

3. Help Desk Ticket

If it’s one thing that endears you to your co-workers, it’s your insistence on having a help desk ticket for every: “I’ve just got a quick question? Ever since I installed this Free Online Poker website my ‘e’ key doesn’t work. Can you look at why Word won’t print right since the last time you helped me?” that they corner you with.

Costume Items:

  • Posterboard
  • Markers
  • Stapler

Directions:

Bend the poster board around until it makes a cylinder and staple it in place. Use the markers to draw a happy face on it. Place over your head and contemplate why you didn’t go into a less stressful profession like heart surgeon or something.

4. Data Retention Policy

Halloween is a fun time, but it’s also an opportunity to help educate your co-workers on your Data Retention Policy and basic digital security measures.

Costume Items:

  • A paper shredder
  • The longest extension cord you can find.

Directions:

Wander around the office (shredder in tow) removing papers from people’s desks and and turning them into meaningless scraps. Be sure to hit the bulletin board in the lunchroom that’s still cluttered with take out menus from 3 years ago.

If anyone asks why you’re doing this, tell them that they’re part of the problem and if they’d just manage their own files, this wouldn’t be necessary.

5. GDPR: General Data Protection Regulation

Everyone loves a good scare and what’s more frightening than a shadowy group of faceless EU bureaucrats taking 4% of your company’s global revenue because you neglected to purge a server of some old files.

Costume Items:

  • Hans Gruber’s Accent from Die Hard
  • Any countdown app for your smartphone

Directions:

Set the app to countdown to 25 May 2018
Hold it on your forehead “Heads Up” style.
Walk around the Halloween party asking people to divulge everything they know about you under penalty of law.

Krack Attack: What You Need to Know

Krack Attack: What You Need to Know

For the last decade, philosophers have been in agreement that there is another, deeper level within Maslow’s Hierarchy of Human Needs: WiFi Access.

We’re now at the point where even the most mundane devices in your house are likely to be WiFi enabled.

Today we learned that every single one of those devices–every single smartphone, wireless access point, and WiFi-enabled laptop–is vulnerable due to a fundamental flaw with WPA2(Wireless Protected Access v2).

It turns out that the WPA2 (Wireless Protected Access v2) protocol can be manipulated into reusing encryption keys in what’s being called the Krack Attack

The result?

Attackers can view and compromise your encrypted traffic, inject ransomware code, hijack your credentials, and steal sensitive information like credit card numbers, passwords, emails, photos, and more.

Who Is Affected?

Because of how it works, this attack threatens all WiFi networks – and WiFi-enabled devices.

While the flaw is in the WPA2 protocol itself, how that protocol is implemented differs across device and software vendors. Apple’s iOS devices and Windows machines are mostly (as of now) unaffected since they don’t strictly implement the WPA2 protocol and key reinstallation.

The largest group affected are Android users and those other client devices that implemented the WPA2 protocol very strictly.

How the Attack Works

The attack works against WiFi clients and depends upon being within WiFi range of the target device. Attackers can use a special WiFi card that retransmits a previously used session key which forces a reinstallation of that key on the client device.

By doing so (and depending on exactly how WPA2 is implemented on the client device), the attacker can then send forged data to the client. For example, an attacker could silently manipulate the text and links on a web page.

How Practical Is the Attack?

An interesting twist to this attack is that it depends much more upon physical proximity in order to compromise a client since you need to be in WiFi range. An attacker also needs a somewhat specialized networking device and to be able to code up the exploit manually – since no software has yet been released for this attack.

What You Can Do To Protect Yourself Today

The more encryption you run at different layers of the communications stack the better. If you’re in charge of a website, this is just one more in a vast list of reasons you should be forcing SSL/TLS on your site.

VPNs are also a strong (additional) option: they’re inexpensive, easily configured, and can make Krack much less of an issue. An attacker can view/capture the encrypted data but won’t be able to do anything with it.

What You Can Do In The Coming Weeks

Update your devices – and be mindful of where and on what devices you’re using WiFi.

Every vendor is likely going to release a patch addressing this vulnerability: install the next product update that gets pushed to you – and encourage those around you to install security updates.

Neglected security updates are actually a large and persistent vulnerability: they’re there for a reason – install them! Greater adoption helps everyone. If you need more convincing, check out Lesson 4 of Troy Hunt’s Internet Security Basics.

What You Can Do Long Term

This may spark more (and long-needed) research into the areas of WiFi vulnerabilities.

While you can’t entirely prepare for the unknown, you can set yourself up to respond quickly by establishing good procedures for emergency patch management, implementing defense in depth by layering multiple different security systems and keeping all of your systems as up to date as possible.

This attack highlights that it’s important not to rely solely on any single layer of defense. For many home networks, this is, unfortunately, their only security layer. Always consider what happens when a layer of defense fails.

[Podcast] The Anatomy of a Cybercriminal Startup

[Podcast] The Anatomy of a Cybercriminal Startup

Leave a review for our podcast & we'll send you a pack of infosec cards.


Outlined in the National Cyber Security Centre’s “Cyber crime: understanding the online business model,” the structure of a cybercrime organization is in many ways a lot like a regular tech startup. There’s a CEO, developer, and if there are enough funds, an IT department.

However, one role outlined on an infographic on page nine of the report that was a surprise and does not exist in legitimate businesses. This role is known as a “money mule.” Vulnerable individuals are often lured into these roles with titles such as “payment processing agents” or “money transfer agents.”

But when “money mules” apply for the job and even after they get the job, they’re not aware that they are being used to commit fraud. Therefore if cybercriminals get caught, “money mules” might also get in trouble with law enforcement. The “money mule” can expect a freeze on his bank account, face possible prosecution, and might be responsible for repaying for the losses. It might even be on your permanent record.

Other articles and threads discussed:

Tool of the week: SPF Translator

Panelists: Mike Buckbee, Kilian Englert, Mike Thompson

[Podcast] How Weightless Data Impacts Data Security

[Podcast] How Weightless Data Impacts Data Security

Leave a review for our podcast & we'll send you a pack of infosec cards.


By now, we’re all aware that many of the platforms and services we use collect and store information about our data usage. Afterall, they want to provide us with the most personalized experience.

So when I read that an EU Tinder user requested information about her data and was sent 800 pages, I was very intrigued with the comment from Luke Stark, a digital technology sociologist at Dartmouth University, “Apps such as Tinder are taking advantage of a simple emotional phenomenon; we can’t feel data. This is why seeing everything printed strikes you. We are physical creatures. We need materiality.”

He is on to something. We don’t usually consider archiving stale data until we’re out of space. It is often through printing photos, docs, spreadsheets, and pdfs that we would feel the weight and space consuming nature of the data we own.

Stark’s description of data’s intangible quality led me to wonder how weightless data impacts how we think about data security.

For instance, when there’s a power outage, some IT departments aren’t deemed important enough to be on a generator. Or when Infosec is often seen as a compliance requirement, not as security. Another roadblock security pros often face is when they report a security vulnerability – it’s not usually well received.

Podcast panelists: Mike Buckbee, Kilian Englert, Mike Thompson