Salted Hash Rehashed: Vegas Adventures (Part I)

Welcome to a special edition of Rehashed. After a week in Las Vegas, followed by a week of nothing but sleep and pure laziness (otherwise known as vacation), we’re getting back into the swing of things and catching up on the news and other current events.

I’m writing today’s post as I wait for my coffee to brew. The idea jumped into my head so I wanted to get it down, because it relates to a newly acquired hobby and asset defense.

Earlier this month during DEF CON, CSO Online filmed a video in the Lockpick Village with Scorche, one of the members of TOOOL. The focus was on risk, as it related to locks and the things they protect.

Personally, I’m a novice when it comes to picking locks. At the same time, the process is both relaxing and challenging. The video below has the entire segment.

Way back in June, I came across a post about picking locks that got me thinking about risk, which eventually led to the idea behind the aforementioned video project.

The blog post was written by AttackIQ’s CEO, Stephan Chenette. In it, Chenette describes the aftermath of a talk he was giving, where he invited a group of CISOs to pick a set of handcuffs. Most were skeptical that they could learn to do it, but by the end of the session, all of them could unlock the cuffs with ease.

But there was a reason Chenette taught them to pick locks.

“Your network and host defenses are the digital locks many of you think are unbreakable. To understand them, you must pick them; you must challenge them. The truth is attacker techniques are not that complicated, there are patterns and only by running exercises that mimic likely attack scenarios will you understand your ability to prevent and detect an attack, before it actually happens,” he wrote at the time.

I’m a big fan of organizations testing their own networks, and a massive supporter of red team operations. But, I’m not a fan of placing limits on red teams under the guise of scope.

Real attackers don’t follow scope. The point of having simulated attacks on your network is to locate the weaknesses attackers will target, understand how they’re targeting them, and what your organization can do to prevent said attacks, or increase detection and response.

On the subject of locks and scope, I’m reminded of the recent Safe Skies master key leak. Imagine a red team engagement that involved creating a Safe Skies master key. The overall goal of the engagement is to make sure the master key can be protected from abuse, ensuring that only the proper authorities had access to it.

If the red team was limited by scope, and could only source a Safe Skies master key using the same methods required when the Travel Sentry master keys were developed and leaked – the engagement would be a failure.

This is because there were no images, or improperly released company documents containing the Safe Skies specs. Instead, in order to create the Safe Skies master key, the red team would have to reverse engineer the Safe Skies lock itself and create it from scratch.

The point is, using scope to limit the types of attacks used by the red team could lead to an unsuccessful operation (a win for defenders), but it only offers a partial look at the bigger picture as far as security is concerned.

Other items of note:

No edition of Rehashed would be complete without a listing of interesting items from the week. Below are some of the stories that stood out while I was on vacation.

TCP/IP Flaw could cause massive headaches:

• A flaw in the Transmission Control Protocol (TCP) used by Linux since late 2012 poses a serious threat to internet users, whether or not they use Linux directly.

Spammers favor Trump over Clinton:

• Spammers and cyber attackers are using Trump’s name far more than Hillary Clinton’s in emails pushing get rick quick schemes or phishing for personal information, according to an analysis from Proofpoint.

Samsung both denies and admits mobile payment vulnerability

• Samsung said that reports of a vulnerability in Samsung Pay mobile payments were “simply not true” — but also admitted that token skimming was, in fact, possible but difficult enough that the potential risk was acceptable.

$500,000 iOS bug bounty crushes Apple’s offer

• A security firm is offering up to $500,000 for information on zero-day vulnerabilities in iOS, surpassing Apple’s bug bounty just days after it was announced.