Category Archives: Security

2600 Films: Freedom Downtime

The entire 2600 film Freedom Downtime is on YouTube. This is the 2001 documentary about Kevin Mitnick and the Free Kevin movement. Lots of contemporaneous footage. Many of the themes of the film are still relevant today! This is much watch for any hacker hobbyist and enthusiast.

2600 still release the 2600 Hacker Quarterly, which is always a great read, I’ve been working my way through the latest issue and it is as good as ever.

You can buy this issue, back issues and merch here.


CBI Scotland’s cyber security conferences are always of interest to me, not only are they Scottish centric, they provide me, a techie, face to face time with business leaders. This allows me to take the pulse of what they are thinking about in terms of cyber security, what they are wanting from cyber security and more importantly how they want people like me to communicate with them about cyber security. (note: I’m using the word cyber a lot here as it’s used by the CBI a lot..judge them not me.)

This years CBI Scotland Cyber Security Conference, had a little bit more than last year. Amongst the vendors talking about the cyber security risk landscape and how their products are key to helping you reduce that risk (Which I find in many instances can really knock the cost/risk ratio out of whack, but that’s for another time) there was a political VIP in the midst.

The VIP in question was a pretty lofty member of the Scottish Government, namely Deputy First Minister John Swinney. Mr Swinney talked in broad terms about cyber resilience, including how Scotland will make use of a number of UK wide initiatives, in addition to this he had some newsworthy announcements to make.

Developed with help from the NCSC and the private sector the Scottish Government has put together an 11 point action plan for the public sector, there is a view that the public sector is behind the curve when it comes to cyber security so plans like this are a positive sign.

One of the key points of the plan is putting cyber security as a permanent point on all public sector boards agendas. This to me is very smart, having buy in from the very top critical to implementing an effective cyber security strategy, without this cyber security can become nothing more than an “IT problem”, which can then quickly become an IT afterthought, which can then quickly become a serious compromise.

The rest of the points cover the standard, but sensible stuff as well, such as “appropriate implementation of Active Cyber Defence measures” and “membership of Cybersecurity Information Sharing Partnership”.

It’s great to see devolved governments getting involved with this kind of stuff. Time will tell if this is a solid foundation for ensuring Scotland’s cyber resilience or if this is merely an elaborate checkbox exercise, but I’ll try and put scepticism aside and say that this is a positive development from the Scottish Government.

Read more about this here.

Picture credit (I didn’t take any pics): @CybertonicaLtd

Bletchley Park Visit

I’ve had the opportunity in the last few days to visit Bletchley Park to represent my company at the Atos Cyber Security Forum. (Main take away, have a solid and rehearsed incident response plan.)

If you don’t know (and you should!) Bletchley Park was the central site for British codebreakers during World War II, most famously Alan Turing.

It is the place that the German Enigma and Lorenz ciphers were cracked, saving countless lives, helping secure victory and ending WW2 by years…and it was all done in secret and remained secret for many years after. Many that serverd there during the war taking their secrets to the grave.

I got to see the methods used to crack the ciphers, I got to see some of the machinery developed to crack the ciphers and I got to stand in the very rooms that this work was done, including Alan Turings personal office.

We also got a tour from Bletchley’s resident historian and researcher, which was very insightful.

On top of this I had a fantastic experience at The National Museum of Computing, where I was lucky enough to get personal tour of how signals where intercepted as well a personal tour of the famous Colossus computer. The National Museum of Computing is actually separate from Bletchley Park, it is run by a team of dedicated vollenteers, if you are ever lucky enough to visit Bletchley Park make sure you pay them a visit and if you can make a donation to allow them to continue to have Colossus on display.

Bletchley Park feels special, being in the very place that such historic and important work was done is both humbling and inspiring. If you ever have the chance to make the pilgrimage (and it truly feels like a pilgrimage), then make sure you take it. I am already planning my return visit next year.

WannaCrypt and Petra: Lessons Learned

Lots of talk about the lessons that should be learned from the recent spate of ransomware out breaks, namely WannaCrypt and Petya.
I think one of the main lessons learned is that the security services shouldn’t be hoarding zero days and tools to exploit them, (especially) if they can’t properly secure them.

The thing to remember, however, is that WannaCrypt and Petya both had patches available (probably because Microsoft where tipped off in advanced) before they hit and both also took advantage of poor configuration.

Additionally, many organisations that were hit hard could have avoided some (possibly all) pain if they had standard belts and braces security practices in place.

The main lesson organisations should learn is that they should get the basics right.

For example:

Vulnerability Management

Conduct regular vulnerability scanning, understand the security posture of all assets and what vulnerabilities are present, what threats are related to these vulnerabilities, and what risk they pose to the IT estate and the business it serves.
This includes both missing patches (i.e. MS17-010) and poor configuration (i.e., having SMBv1 enabled).

This should all be supported by proper processes that allow for ongoing discovery, remediation of vulnerabilities (either via action or risk acceptance) and confirming remediation.

Ideally, all risks across the entire IT estate should be known about and managed.

Additionally, roles and responsibilities should be assigned to ensure that all of the above is done correctly. This includes security managers, security analysts, vulnerability managers IT technicians etc.

Patch Management

Ensure that patches are deployed in a timely manner. This doesn’t just mean pushing the latest Patch Tuesday patches. This also includes understanding what software you have in your IT estate and having a full inventory of assets to make sure everything is patched.

Removable Media Controls

Ensure removable media is limited to devices that are sanctioned only. Ideally, I would blacklist all removable media and whitelist anything that you approve. (This is just my view, however)

Malware Prevention

Ensure you have some kind of AV on all end points, at least the classic heuristics and definition based AV (although there are more advanced solutions available), and make sure it is up to date and working.

Disaster Recovery

Ensure you have backups, including off-site, off-line backups of critical data.

Incident Management

Ensure you have a plan to react to a major security incident; ensure you have the right people in the right places supported by the right processes.
Control User Privilege

This one goes without saying really: make sure that all users have the least amount of privilege possible. This should be supported by processes to ensure that this is audited regularly.

User Education and Engagement

Ensure all staff understand the security policy of your organisation. Conduct exercises such as phishing campaigns to test your users and provide training to allow them to understand the risks involved and be better prepared to spot pushing emails, pushing web sites, social engendering etc. (Again, this is just a view, some people may suggest that security shouldn’t be a user problem; it should be an IT problem)

Good Network Security Hygiene

Have the correct access controls, know what is on your perimeter, ensure you have properly configured firewalls at all appropriate places in your network (with regular rule audits and reviews), have IDS/IPS where required and make sure that VLANS are properly setup with as much segmentation as is required. Ensure that all remote users can connect securely and that any devices they connect from have at least 1-to-1 patch levels as devices already on the network. Also, make sure that you have robust BYOD controls.

Scot Gov: Cyber Resilience Debate Analysis

Some analysis on the Scottish Government’s Deputy First Minister, John Swinney’s opening statement during the “Safe, Secure and Prosperous: Achieving a Cyber-resilient Scotland” debate last week.

John Swinney Scottish National Party

“Our focus in this afternoon’s debate recognises the urgency for everyone to secure their technology, data and networks from the many threats that we face, and proposes that citizens and organisations must become more resilient, aware of the risks, and able to respond and recover quickly from any kind of cyberattack.”

The debate appears to be in response to wannacrypt, it may have been planned in advance I’m not sure. Regardless good that cyber security is still very close to the top of the agenda for the Scottish Government.

Daniel Johnson Labour

“… our response is vital, but so is prevention. One of the key issues with the recent attack was … Windows XP … Does the Scottish Government have a target date for removing Windows XP from … across the Scottish Government?”

John Swinney Scottish National Party

“The key question that we have to address is how we establish and maintain the most rigorous level of security possible on all systems that are used. In certain circumstances, there may be an appropriate use for the systems to which Mr Johnson referred.
However, the crucial thing is that security arrangements must be in place to ensure that the necessary precautions are taken.”

Sounds like mitigation is king, makes sense given the circumstances. But I also think a plan to ensure that unsupported Operating Systems are replaced, a desktop replacement programme at the very least. NHS Scotland should act as single entity to leverage the best deal during the procurement process.

Would be interesting to see what legacy requirements are dependent on windows XP. I understand that some of the systems purchased by the NHS are long term investments and these systems may require the use of Windows XP, but I would hope that these considerations are taken into the account when making such purchases, would it be that hard/expensive to include clauses in contracts that require vendors to ensure that these systems are fully secure and supported throughout their entire lifecycle? How do other countries or private health care providers manage this? Is Linux a viable option in terms of procurement? Would this be any more secure anyway? What would the total cost of ownership be?

John Swinney Scottish National Party

“Any business that can successfully demonstrate that it has taken steps to protect its own and its customers’ data, as well as to respond to and bounce back from any cyberattack, is in a strong position to grow in the digital age. Organisations that can demonstrate their resilience to cybercrime can gain a competitive advantage and increased consumer confidence. Therefore, developing cyber-resilience as a core part of an organisation’s business strategy will ensure that the organisation continues to take full advantage of the internet age and to flourish into the bargain.”

Very high level, standard but sensible advice, echoing what we have seen from the UK government.

John Swinney Scottish National Party

“Social engineering is one of the simplest ways of overcoming our technical defences. We should not blame users. They are not the weakest link, as is often said; they are essential assets. Links and attachments are common in the workplace and that is why they are exploited. … Therefore, part of our response must be to get the basics of online security correct. That includes raising the knowledge and awareness of all our citizens about the risks and the steps that they can take to reduce them.”

Little bit of spin here. I think highlighting user education is right, would be interesting to see if there is some follow up to citizen awareness line at the end there. Some kind of government sponsored education campaign to inform users of the risk of phishing, vishing and all its variants would be helpful and quick win for everyone involved.

In saying this I also believe that businesses need to take responsibility and run their own education programs for their users. From personal experience I know user education lowers risk.

Dean Lockhart Conservative

“Does the cabinet secretary agree that additional availability of computing skills teaching at all school levels would help to address some of those issues?”

John Swinney Scottish National Party

“Obviously, computing science is an integral part of the curriculum, and it is part of some of the earliest stages of primary education. I have seen various coding initiatives in primary schools that have involved primary 3 and 4 pupils. I firmly support the importance of ensuring that young people are exposed at the earliest possible ages to computing education and that they are able to acquire the skills and attributes that are necessary for them to prosper.”

Some good initiatives here and the Scottish government have made great progress in this area, (if anything I think Mr Swinney underplayed some of the work being done.) There is always more that can be done however.

I gave a talk to some primary 3 and 4’s recently and most of the knowledge these kids had on cyber security focused around game hackers. One thing was undeniable however the kids were very enthusiastic, engaged and willing to learn.

I think having some cyber security on the curriculum for all students nationwide for kids as young as 7 or 8 would be a great way to capitalise on this enthusiasm, it could be used to educate kids about general dangers of being online at the same time.

There is a lot impressive progress with older kids and young adults, especially in the further and higher education space which has been supported by the Scottish Government. Only time will tell if it is enough.

John Swinney Scottish National Party

“The digital Scotland business excellence partnership has provided £400,000 to help businesses in Scotland to improve their cyber-resilience and work towards achieving the cyber essentials standard.”

Good to see the Scottish government through its weight behind this scheme. One of the things I like about this scheme is that it gives a target for some basic baseline security controls over a number of domains, as well as introducing of a form of compliance for organisations that may not have any compliance requirements. I think external audits of any kind are great for sharpening the mind and focusing attention.

John Swinney Scottish National Party

“The Government’s investment in the area is specifically to support a range of hardware and software measures to protect its information and communications technology systems, infrastructure and data; to improve its network monitoring capabilities; to boost staffing in the area, which is vital in order to have the skills available to handle the challenges; to establish and expand a cybersecurity operations centre; and for corporate education awareness and training across the board.”

I like the idea of continuous monitoring and SoC’s, they are definitely a good way to spot and prioritise cyber risks quickly. Although from my experience there is a big skills gap in this area, whether this is down to the explosion of prevalence in SoC’s or not I do not know.

SoC’s needs to be implemented correctly if they are to work, there is no point in having a SoC if it isn’t running at operational maturity, and getting to maturity can be a painful process.

Many vendors now offer SoC as a service which is a good way for private organisations to get access to a SoC’s capabilities without massive cost or having to endure the painful maturation process. I do not think this would be an option for the public sector however due to national security concerns. This could prove expensive, especially if a dedicated Scottish Government SoC was rolled out to all local government, schools, hospitals etc. I can see this one being fully outsourced. (Which to be fair is probably the best way to go about it.)

John Swinney Scottish National Party

“It is essential that, across a range of different areas—on learning and skills, on the role of the private sector, on compliance with the European Union general data protection regulation and on the securing of our critical infrastructure—we make cohesive and coherent efforts to ensure that we are equipped to meet the challenges.”

A wild GDPR reference appears. This is an area the government should be focusing on and along with ICO doing everything they can to help Scottish Businesses be ready for. With fines of up 4% of revenue there is a real chance that this could impact the Scottish Economy. It look like the Scottish Government is ready to do its bit.

Full debate can be viewd here:

OSCP Diary 3

I didn’t intend on taking so much time in between posts, but with work, Christmas and the OSCP I have been swamped!

So sitrep: Progress has been slow and steady, maybe a little slower than I would have liked…in fact definitely slower than I would have liked.

So my main issue has been myself.. I am arrogant, I procrastinate a lot and I am a weak!

So let me explain each in turn; I am arrogant. Coming into the OSCP, I was telling myself, how hard can this be, you’ve been in this game for a few years now, you have lots of Linux experience, you have used most and if not all of these tools before. This should be a formality.

Well it turns out it isn’t a formality, yes I have been in this game before, but never on the attacking side, sure I’ve done the vulnhub stuff, the uni classes and even a little bit of dabbling in the real world, but this is different, it isn’t just about knowing how to use the tools or following tutorials. This requires you to sit down and plan and conduct the tools like a conductor conducts an orchestra. This is about knowing what to use when, about what steps to take first, about developing a repeatable but dynamic process.

This is hard….way harder than it sounds, I think the only way to really learn this is via time, practice and effort.

While we are on the subject of effort, let’s move on to my next failing; procrastination. All too often have I got up and told myself today I will spend the entire day on this..and sometimes I do. But that also involves picking up my phone to check Facebook, stopping to make tea, going on youtube etc etc. This wastes lots of time. I need to stop this.

My next failing is weakness….I will admit it, I have had the “I can’t do this” moment(s), it has hit me and it has hit me hard.

I will be working on a box, I will be following an attack vector all is well, I’m in full on Neo from the matrix mode…then boom. Brickwall….I get stuck and I cannot get any further. This has happened to me a few times now.

But…a few days ago I hit a milestone, I pwned not 1..but 2 boxes. Sure they were exploiting the same vulnerability, but the joy of getting a shell on those boxes with a custom exploit was good!

I had my first “I CAN DO THIS!” moment, from these I have had a number of small victories, finding the odd thing here and there, I am beginning to feel like I am making progress.

Right that is enough for today, I’m not sure exactly when my next post will be but I will try make it sooner than this one took me!

OSCP Diary Day 2 and 3

I’m now on day 3 of 90 of the OSCP. How has progress been!?…well, steady.

Time has been tight, with work, family etc. It’s hard to set aside blocks of time to really sit down and concentrate. I have the luxury of being able to do a bit at work (cause my work is awesome!), but much of that is broken up in between work stuff (Which obviously takes priority) so I haven’t had a huge amount of time to just sit down and focus on working though the course work.

But steady progress is better than no progress… and today…*druuum roooollllll* I popped my first box. Although it was very…VERY low hanging fruit.

I have also made some great progress in regards to enumeration. So all in all, the last couple of days while not being perfect have been okay.

I will need to take a day off tomorrow as I am attending a Cyber Security Conference (Which I am really pumped up for), but I will be back in action on Friday
I’ve still not had that “I can’t do this moment”…but I haven’t tried hard enough yet. Friday I hope to have a few hours of time to dedicate to this, so maybe that moment will come then!

Meaningful time in labs: 9 hours.

OSCP Diary Day 1

Welcome to my OSCP diary, somewhere for me to brain dump my thoughts as I work my way through the Penetration Testing with Kali Linux (PWK) course and then take the Offensive Security Certified Professional (OSCP) Exam.

The PWK/OSCP are under strict NDA so I will not be going into details here, I will be very general and very vague. So if you are looking for PWK tutorials and howtos, then you have come to the wrong place.

After weeks of waiting I finally got my OSCP lab access last night at 0000 Hours, as the bell tolled midnight the email that I had not patiently waited for was finally delivered.

The plan was wait up until midnight, get the email download all the stuff that I needed to get onto the labs, all the course materials etc. etc. then go to bed get a solid 7 hours sleep and be ready to spend Sunday pwning n00bs and popping shells!

So that was the plan, the reality however was somewhat more chaotic. Like a schoolboy at Christmas I have been getting a lot little hyped up over the last few days counting down the minutes to 0000 on my lab access day, thus I was already a little sleep deprived when I waited up to receive my email.

So the email comes in and I feel the rush of adrenalin surge though me (well about as much as a rush as you can get from receiving an email after a 20 hour day), and off I go dutifully downloading all the stuff I needed.

So I finished getting all the stuff and headed off to bed and sleep for a solid 7 hours….no I’m just kidding. I thought to myself, “ahh well I may as well configure everything just now so I’m ready to go in the morning.”, so off I go configuring all the things, getting everything just so.

It is now around 0100 everything is downloaded, everything is configured, all I need to do now is get some shut eye.

“But maybe I should just have a wee tincy wincy look at what I have in store for me”….so I open the course materials, pop on the forums, check out the IRC…it’s now 0200.

My mindset has now changed, I’m now thinking “well I’ve went this far I may as well get on the labs and have a look”…3 hours later it 0500 and I’ve just sat up all night, excited scanning all the things!
At this stage tiredness gets the better of me and I decide to call it a night (well technically morning).

So to bed I go 3 and bit hours later I’m awake again it is now 0830 and I am feeling compelled to get back in the labs. So to the labs I go…now it may be the sleep deprivation, it may be the excessive amount espressos I’ve consumed or it could be a combination of both, but I could not focus on any one thing. I must have wasted hours jumping around from one thing to another. I went from going rouge and jumping ahead of the game hitting random boxes to deciding to slow down and methodically just work my way though things from beginning to end.

In the end it now approaching 1800 I need to get things ready for the day job tomorrow (who I owe a big thank you to for putting me though the OSCP!), and I need to step away for a bit let everything from last 18 hours sink in.

The two take aways from day 1 are:

1: Sleep (it is a requirement unfortunately)
2: Plan ahead and prepare your day. (this will save a lot of time later on!)

Now roll on day 2 (of 90).

Meaningful time in labs: 6 Hours