Thursday, December 31, 2015

2015 in CONs & Video


Wow...what a whirlwind this year has been!  Got to see so many friends and collegues at conferences & events near and far.  Quick shout out to all the events that I attended, presented, staffed, or recorded...

Chattanooga ISSA ChapterFEBX
BSides IowaAPRX
Southeast CCDC RedTeamAPRX
Palmetto CCDC RedTeamAPRX
Charlotte ISSA Annual SummitMAYX
BSides AugustaSEPX


BSides Iowa1212+~498315GB

In all, my favorite video from 2015 was recorded at SkyDogCon when Jayson Street gave a remote, pre-recorded, Skype presentation which was recorded in a SINGLE TAKE WITHOUT POST EDITING (except for the intro titles)!  We didn't rehearse...nothing!  It just worked! Even though a couple elements could have been better, it was completely on-the-fly & I had no idea how it would go, much less translate to video.  Check it out & tell me what you think.


Thanks for a great year & see you in 2016!

~Evan @pentestfail

Read more »

Tuesday, November 10, 2015

Preparing for BSidesCHS 2015

Status Update

Sorry for the lack of content over the past few months, but between family, work, and crazy "CON season" the blog has fallen to the backlog.  That said, I've been busy doing video at conferences with Irongeek (BSidesLV & DerbyCon) as well as recording conferences & posting videos for SkyDogCon, BSides Iowa, BSidesATL, BSidesCLT, & this weekend BSidesCHS!

BSidesCHS 2015

So, because I'm a glutton for punishment, I'm doing what I've sworn I would NEVER do again at a conference...speak and record 2 tracks of video simultaneously!

If you're in Charleston, SC, this weekend (14 NOV 2015) and want to see my last shreds of sanity vanish before your eyes then come on down to BSidesCHS (!

Going Nuclear: Exploiting Mass Emergency Notification Systems

You’ve received emergency notifications; had a storm warning interrupt the season finale; had your phone go berserk with an “amber alert” which annoyed yet somehow gave you a warm fuzzy the government is looking out for you.  You’ve driven under an interstate notification sign and cursed “traffic delays due to construction” when you’re already running late. But how did those messages get there and who REALLY sent them?  Easy to laugh off one warning of “ZOMBIES AHEAD” but what if the message also came over your phone and radio simultaneously?

With a footprint the size of nations, emergency notification systems stand ready for the worst disasters to the most localized emergencies, dangers, weather, and more.  These “system of systems” are held together by embedded devices, fragile protocols, and terrible implementations in an IoT nightmare so unreliable it fails as often as it succeeds.  But why does it persist?  Lets explore the government mandated backdoors into commercial & public communications networks ripe for exploitation!

This talk will demonstrate how messages are initiated & distributed as well as how an attacker could inject, modify, disrupt, or even take over major parts of the larger system with the click of a button!  We’ll explore the devices, their vulnerabilities, and the future of these systems in the US under the Integrated Public Warning & Alert System (IPAWS) as well as in other countries.  While walking the tightrope of legality, it will give you the background and tools along with multiple live demonstrations and invite you to participate in a “BSides Emergency Notification System”.  Even if you don't hack these systems (and I'm not saying you should), I'm sure you'll find the discussion eye opening and engaging in an area where RF hacking, IoT/SCADA, and critical infrastructure collide to create one hell of a mess!
Read more »

Monday, November 2, 2015

SkyDogCon 2015 Videos Posted!

Sorry it took so long guys, but the "CON Crud" kinda put a kink in getting these done this week.  That said...we're polishing up a couple of them that had issues but, as of right now, only 1 of the 18 recorded talks are pending (a few were not recorded at speaker request).  I'll update the playlist as they're ready but pay attention to Twitter for the individual talk links.

We had an awesome year of talks and hope you enjoy catching up on ones you missed, revisiting the material, or tuning in if you weren't able to make it out to the CON.

Read more »

Saturday, July 11, 2015

Thursday, March 5, 2015

The Reporting Killchain


In 2013 at ISSA International in Nashville, TN, I gave a talk on using "big data" tools for security compliance and continuous monitoring over traditional security toolsets.  The talk pulled directly from a project I had been working on for a large US government agency that ultimately failed regardless of the agreed value it provided to the organization (I actually got an award from that agency for the work!).  The outputs and experience from that provided me some insights that ultimately have taken me the past couple of years to reconcile and mature into the "Reporting Killchain".

Obviously, the name is intended to be a "tongue & cheek" reference to the "Cyber Killchain" we often hear referenced in so many articles, blogs, and presentations.  By all means, I think it is one of many valid concepts to reference for developing a comprehensive security strategy.  But the reality is that so many organizations claiming they're "attacking the cyber killchain" is a more than just laughable...its downright sad!

My Experience...

In the project I mentioned above for that agency, we were tasked with implementing a continuous monitoring tool for FISMA and other security requirements.  A ton of tools were analyzed and ultimately none of them were purchased.  The money was reallocated to something else and we were left holding the responsibility to make something work.  We ended up turning to an existing project to leverage a "big data" tool (vendor is unimportant) which already had much of the data we might need being aggregated into it and which had zero cost for us to use.  Why didn't we use that in the first place...well...we'll to get more into that in a coming blog post.

Before we transition though, the reality was that "big data" tool "off the shelf" would not meet the requirements to provide the level of monitoring and reporting we were required to provide.  Though that tool had a "FISMA" app/plugin we could use, it only covered approximately 20 of the several hundred controls we were ultimately required to monitor!  That was only IF you sent the right sources into it.  We knew we had a lot of work to do!

"The Reporting Killchain"

The concept finds its roots in organizational behavior and by all accounts is very much a "thank you captain obvious" for many of you.  Still, this concept is meant to bridge the gap between security practitioners and "the organization" as well as to hopefully be point of reflection for those finding themselves unsuccessful or outright jaded in their efforts to improve their organization's security postures.  What I've tried to do is boil down some key points in the "reporting process" where needs, ideas, goals, etc. get shot down, bogged, down, and fail to move forward.

These breaking points have been described to me time and time again by countless other colleagues and professionals and are present in, if not directly responsible for, every single breach or security incident that I've ever seen!  I don't say that to be dramatic.  Almost every major breach I've read about had some point in its reporting killchain where the outcome could have been drastically different had the message passed through the chain transparently.

Over the next few blog posts, I'll drill down into each of the points of this "Reporting Killchain" in what I hope will be an engaging discussion on how we as security practitioners can break it for the sake of our sanity!
Read more »

"The Reporting Killchain: It's Killing Your Security"

Presented at Chattanooga ISSA, 3 March 2015


Think your organization is ready to attack the “Cyber Killchain”? Yeah right! You haven’t even tackled your Reporting Killchain!  What is that? It’s the process your organization takes to get information from the bottom to the top of your organization and back.  Chances are its like playing the old telephone game but even more pathetic and less direct!  Don’t be na├»ve enough to think you can begin to make your organization more secure until you put the information before the politics, bureaucracy, and mind numbing process.

Don’t worry, this isn’t a talk about organizational behavior, structure, or business best practice.  Nevermind that in doing so you’ll simultaneously improve organizational communication, morale, and security visibility. This is a discussion on methods you can use to hack your organizations reporting chain and put the power of the information before the process.  Lets look at how to use existing reporting tools to crunch more than just machine data.  Lets use them to further cultivate human generated data to create real organizational security intelligence! We’ll show you how to use existing reporting tools to do non-destructive analysis to create true multi-level reporting that can’t get shot down, watered down, or otherwise manipulated before it gets to the CEO! Lets attack the Reporting Killchain that’s keeping your organization from being more secure!

Read more »

Monday, November 24, 2014

BSidesLV & BSidesCHS 2014: "Allow myself to encrypt...myself!


At BSides LV/CHS 2013, I shared a dream…of a day when all-the-things would be endowed with…with huge…encryption! YES!  BIG ENCRYPTION! Where NSA is spelled with F & U! Of a future where I can share my data without sacrificing ownership, confidentiality, or anything else.  Where my memes and social awkwardness will be appreciated! Um…seriously though, we played “fantasy defense-in-depth”, sacrificed an “admin dude” dressed like the black knight, and generally shocked the world that the internet isn’t a safe place.

Wait…ok…now seriously, we explored why the “escalation of weaponry” means defense is futile; why the networks of the future, pervasive ubiquity, and other unknowns won’t fit into a secure perimeter; that we need to protect data over devices; that if we can’t control how our data is transmitted, processed, or stored we need to figure out how to protect it!

Can we create data resilient to attack even when the host it resides on is compromised? How do we not lose availability or the ability to share & collaborate with others? We were on the trail last year, but now we think we have a solution & can’t wait to show you! Fast forward 1 year & we have possibly the first open source destined & patent protected comprehensive framework for data protection. It’s a big idea with big challenges destined for failure without your input and expertise so come join the conga line to crazy town!



Read more »

BSides Charleston 2014 Videos Posted

Read more »