Sunday, February 7, 2016
This week the "head hacker" of the NSA gave a talk about defending against nation state attackers. The full talk is hosted on YouTube, The Register has a write up of the speech, and Defensive Security Podcast Episode 147 also has some comments. This NSA briefing stood out to me because so much of what the speaker, Rob Joyce, had to say is exactly what's we've been covering in this Network Administration class. For example, the six stage process ("reconnaissance, initial exploitation, establish persistence, install tools, move laterally, and then collect, ex-filtrate and exploit the data") the NSA uses to crack its targets is parallel to the attack strategy mentioned in the Comp-Tia+ Network Security textbook.
Most of the talk is just review at this point, patching vulnerabilities, keeping access to confidential information or system privileges/rights to only isolated systems/essential personnel. The article and podcast I linked above focus on some of the more useful advice in the talk like using white-listing and possibly the most important tip in the talk, using reputation-based tools before you run code.
What stood out to me however, was that Joyce explains that these nation state hackers don't really focus on exploits. They wait to strike, patiently and persistently, they wait and wait until they find your weak spot and exploit it. I may have already known this, but hearing the warning come from the top has raised my paranoia level and alertness. You're waiting for someone outside your network to attack you, but they're right on the outside waiting on you. Or they may already be inside, right under your nose. It's a change of thinking from waiting for a sign that you're under attack to assuming from the start that you may already be compromised. It's how you're going to look for the attacker inside your network, isolate him, kick him out, keep him from your sensitive data and make sure you make the changes necessary to keep your doors locked.
Another interesting read came out this week on hacking an SQL server without a password. It was appealing for me because I'm just starting to see how attacks play out, what has always been a foreign language to me is turning into concepts I can grasp, and my thinking patterns are beginning to shift towards a hacker's mindset. The penetration tester used Kali Linux, ARP Spoofing, Wireshark, a Man-in-the-Middle attack strategy and commands that filtered out strings and replaced them with his own user credentials to gain access to the server. He knew the information he needed to collect to have all the pieces he needed to get in and then devised a method of getting in. Redditors on Netsec were quick to bash the man for his "l33t haX0r skillz" on an unencrypted machine, but this applied to me because I'm seeing all of these different aspects of computer information I've been learning about come together in practical use.
The last for this week is just a simple overview of how Windows 10 is built to be secure (with NSA backdoors or not), from its architecture to the fact that it's going to be constantly patched and updated. Some of the most important features listed directly from Microsoft are UEFI Secure Boot, better use of TPM, Virtualization Based Security, Enterprise Data Collection, Rights Management Services, SmartScreen and Device Guard.
The reason I focused on the last two articles is because I've been putting some thought into my home setup. I'm very comfortable with Windows 7 on my desktop, but I think it's time to upgrade. I may be switching to Windows 10 (my laptop already made the jump at launch), and dual booting Kali Linux on the side. Windows 10 for security reasons and Kali because I hear it referenced all the time, and I'd like to try my hand at penetration testing. Security on one side, attacking on the other.