Here’s my latest CyberScoop interview.
My interview from CyberTalks:
It was a fun event; if you’re in the DC area, you should check it out next year!
For five years now, Red Hat and Intel have hosted a small, but very cool security conference called “Defense in Depth (DiD)” in Tyson’s Corner, VA. Its popularity has been increasing, and this year is a sort of watershed event in the show’s history. DiD has, in the past, been very focused on the security of Red Hat’s products; this year we’re casting a wider net around the security of many open source communities.
We even have an infosec A-lister keynoting — none other than David Kennedy of DerbyCon. In case you haven’t been watching CNN, Fox News, or other high-profile media outlets’ reporting on infosec, Dave’s kind of a big deal. His security roots run deep, and I’m super pumped to hear his keynote, “The Changing Tactics of Hackers,” which will talk about how only the first T in TTP tends to change, which can be handy for developing a counter-strategy.
The whole agenda looks cool, but here are some of the talks for which I am particularly stoked:
- Joseph Conway of Crunchy Data: The “Securing PostgreSQL” breakout will look at the newly released PostgreSQL STIG, and promises to be a highly technical look at open source RDBMS security.
- Jamie Jones of GitHub: The “GitHub + Open Shift = Transparent secure pipeline to production” breakout, which will look at using GitHub Enterprise with Red Hat’s container platform, called OpenShift, to provide a repeatable deployment pipeline. Jamie promises to dig into the APIs supporting this, which sounds really cool.
- Dan Walsh of Red Hat: Speaking of containers, security rock star Dan Walsh’s breakout, the “Evolution of Containers,” will examine the exciting and fast-paced evolution of the technology, and where the community wants it to end up.
- Nathaniel McCullum of Red Hat: “Securing Automated Decryption” sounds awesome. As a long-time cypherpunk, I’ve been really excited about Clevis and Tang, which is RHEL’s network bound disk encryption technology. Encrypt all the things!
There are still conference passes available, so if you get geeked on open source security, register here.
I was talking to a friend about the Cyber-ITL. His reaction was, “Wat?” So in case you missed it, an important thing is happening. EDIT: the BlackHat video was DMCAed. Here’s the Def Con version instead, which is better anyway.
Mudge and his wife, Sarah, presented this at BlackHat and Def Con this year.
If you watch only one video in November, make it this one. This is extremely important, and plays a big part in things to come.
- A FAMED HACKER IS GRADING THOUSANDS OF PROGRAMS — AND MAY REVOLUTIONIZE SOFTWARE IN THE PROCESS, The Intercept
- The biggest talk at DEFCON wasn’t a 0-day, Gerald Auger
- CYBER UL COULD BECOME REALITY UNDER LEADERSHIP OF HACKER MUDGE, Threat Post
If you’re into pentesting or red teaming, sooner or later you’ll encounter some standardized methodologies.
The National Institute of Standards and Technologies (NIST) has one called the “Technical Guide to Information Security Testing and Assessment,” or SP800-115. I’m a big fan of NIST, and this is a good place to start, especially if you care about FISMA risk management frameworks. But it’s pretty high-level, and will probably leave you wanting more.
With a little more Googling, you’ll then find pentest-standard.org. The page has a dated MediaWiki interface. It hasn’t been updated in almost a year. But those things don’t matter, this site is made of open source awesomeness.
The meat of the site lives in the PTES Technical Guidelines. It’s fairly extensive, and if you’re already somewhat familiar with information security, it can go a long way to teaching you about penetration testing.
Go ahead and click on it, you’ll need to load the whole thing then zoom. It’s enormous.
Every one of these entries in the mindmap are backed up by some direction in the Technical Guidelines. Granted, PTES doesn’t hold your hand in all places, but for the devoted student of pentesting, this is invaluable stuff.
Now, to be fair, PTES is not the only game in town. There are other methodologies worth mentioning; I’ll write more about the later, but here’s an overview.
OWASP is another open source pentesting framework, but it’s focused at the web application layer. 18F, the folks behind cloud.gov and other cool stuff, requires the use of an OWASP automated scanner called ZAP as part of the ATO process.
ISSAF is another cool methodology, but it’s even harder to navigate than PTES. You can download the rar archive, or navigate the individual .doc files. At some point I hope to map PTES and ISSAF steps to one another to identify gaps in the former and contribute back to the project.
As much as I like it, PTES could really use a little TLC. There are incomplete sections. And a more modern interface would help, possibly even a migration to a GitHub Pages model, which would make community contribution easier. A D3 directed graph (example) would make for a nice, interactive mindmap.
But despite its shortcomings, I’d say it’s still the best open source pentesting methodology out there. Go check it out.
I used to rail against the term “cyber.” As one who grew up during the transitional period between ARPANET and the Internet, “cyber” took on ridiculous meaning. One learned quickly to avoid anyone whose avatar — or blinking cursor back then — asked, “wanna cyber?” Visions of Max Headroom doing unspeakable things were, for me, mentally far too near.
I’m now happy to admit that the term, “cyber,” is actually really cool.
First, let’s look at the origin of the word. Wikipedia tells us that the cyber prefix comes from the word, “cybernetic.” This is cool in and of itself, because the word “cybernetics” dates all the way back to Plato. Digging deeper, we see that the etymology of cybernetics comes from a word familiar to the DevOps world: κυβερνήτης, or transliterated, kubernetes. Etymonline confirms it:
coined 1948 by U.S. mathematician Norbert Wiener (1894-1964) from Greek kybernetes “steersman” (metaphorically “guide, governor”)
This is already pretty great, but the rabbit hole goes deeper. Back to Kaplan (pp. 44-45):
What to call these “other” threats? One word was floating around in stories about hackings of one sort or another: “cyber.” …the term stemmed from William Gibson’s 1984 science-fiction novel, Neuromancer, a wild and eerily prescient tale of murder and mayhem in the virtual world of “cyberspace.”
Kaplan goes on to describe how a Justice Department attorney named Michael Vatis had just read Neuromancer, and suggested they use the term during the development of the Marsh Report. This pleases me greatly, as Neuromancer is probably one of my top three favorite books of all time.
So there you have it — Plato, William Gibson, and Kubernetes all tied up in one awesome word. Now when you hear terms like cyberwar, cybercrime, cyber-anything you can rest assured that the term is not lame, but indeed, quite kick-ass.