My home on the interwebs

October 28, 2016

IoT Security Testing Types

With the recent DNS denial-of-service attacks originating from compromised Internet of Things (IoT)/ Connected Devices, I thought it would make sense to break down all the various areas companies are struggling to keep these devices safe. The Internet of Things (IoT) can be defined as Cisco well states “a pervasive and ubiquitous network which enables monitoring and control of the physical environment by collecting, processing, and analyzing the data generated by sensors or smart objects.”

The problem with these devices is the perimeter of software and hardware realms that could be compromised. Security professionals working with product development can build better IoT ecosystems, but a full scope IOT security testing program encompasses MANY disciplines and volumes of knowledge – this is not something we can fix overnight. Here is a list of areas to consider when you are looking into IOT hardening.

Testing types:

  • Code Security Assessment “Code Review”: Security code review is the process of auditing the source code for an application to verify that the proper security controls are present, that they work as intended, and that they have been invoked in all the right places. Code review is a way of ensuring that the application has been developed so as to be “self-defending” in its given environment. Covers both Automated or Manuel Reviews
  • Binary Testing: we create various ways to dynamically exploit the code on the phone like it would be in the real world
  • Hardware Testing: Not knowing the application details can be frightening, encryption and protection are important, here we use hardware-based attacks such as power-timing or side-channel to compromise the application.
  • Host Forensics: What does the application leave on the host that could make it vulnerable? Does any leftover data give attackers insight?
  • iOS/Android Environment Assessment “APK”: Digital Rights Management, Content Protection
  • Authentication/Authorization Review: How credentials are transmitted and stored. With authentication and authorization components, a trust relationship is established between IoT devices to exchange appropriate information.
  • Vulnerability Assessment/ Penetration TestingProcess of identifying and quantifying security vulnerabilities in an environment then simulate the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization.
  • Automated FuzzingSoftware testing technique that involves providing invalid, unexpected, or random data to the inputs of a computer program.
  • System Architecture Security Analysis: Early assessment for General Hardening will reduce tons of additional work in the development process.
  • Cloud or Systems/Network Architecture Security Analysis: Does the application communicate with a back-end? If so, that should be in scope. We analyze the network traffic and how it relates between host and server, particularly with encryption, there are typically vulnerabilities.
  • Backend Systems/NetworkTraditional areas should not be forgotten.
  • Protocol Analysis: BLE/ WiFi, 802.15.4/Zigbee, USB, and Ethernet.
  • Database Security Review: Trust Modeling & Verification
  • Key management systems (KMS) / Cryptanalysis “cryptography”: Addresses problems associated with the design and security analysis of network protocols that use cryptographic primitives. Examples: public-key protocol, TLS, probabilistic, computational soundness, polynomial-time process, game-based verification
  • Malware Analysis: The number of malware threats targeting the segment is rising
  • API Analysis: Application program interface (API) is a set of routines, protocols, and tools for building software applications. An API specifies how software components should interact and APIs are used when programming graphical user interface (GUI) components.
  • Configuration Assessment: Reducing configuration drift and unauthorized changes with static analysis/methodology.
  • Security Documentation Review: A document that establishes standards for Information Security documentation – What risks were calculated and how to monitor/protect against.

The defenders have the difficult job to get it right every time, whereas the attackers/criminals only need to find one seemingly small weakness to bring the whole thing crashing down.

Regarding DNS attacks, the creator of DNS, Paul Mockapetris, said “DDoS threatens our values and freedoms, as well as our surfing”. Therefore, I believe security researchers, businesses, and government will learn from previous attacks and keep healing our system into a bigger, better, and stronger global network.

~Michael Goetzman “Korgo”

April 7, 2016

CYPHERCON 2016 Success

CYPHERCON 2016 WAS A HUGE SUCCESS, If you didn’t attend, make sure you check out the presentations and join us in 2017:

 

CYPHERCON’s Opening Ceremony Begins!

Presenter: Nicole Tatrow & Michael Goetzman “Korgo”

 

Security Control Wins & Fails

Presenter: Jason Lang

 

Offensive Wireless Tactics “used in DEFCON 23’s Wireless CTF”

Presenter: Eric Escobar

 

Keynote: China’s Hackers and Cyber Sovereignty

Presenter: Lieutenant Colonel Bill Hagestad II

 

You’re Right, This Sucks

Presenters: J0hnnyxm4s & Lesley Carhart

 

No encrypted data on this drive; just pictures of my cat

Presenter: Parker Schmitt

 

Curry and TARTS

Presenter: JP SMITH

 

All your Wheaties belong to us. Removing the basics that humans need for survival.

Presenter: Chris Roberts

 

The CYPHERCON PuzzleMaster Speaks

Presenter: BeLouve

 

Keynote: P.I.S.S.E.D. Privacy In a Surveillance State, Evading Detection

Presenter: Joe Cicero

 

Bypassing Encryption by Attacking the Cryptosystem Perimeter

Presenter: Trenton Ivey

 

Hypervault Demo & HTTP and SSH Tunneling

Presenter: Caleb Madrigal

 

Quantum Computation and Information Security

Presenter: David Webber

 

Medical Devices: Pwnage & Honeypots

Presenter: Scott Erven

 

Espionage – A weapon during the cold war

Presenter: Werner Juretzko

 

Thank you IronGeek for recording the CYPHERCON 2016 videos

July 29, 2015

Speaking at Hacker Halted

I am excited to announce I’ll be speaking on “DNA Security” at the EC-Council’s conference: Hacker Halted on September 17, 2015! http://www.hackerhalted.com/2015/speaker/michael-goetzman/

Talk Title: GATTACA – Final Warning!

Abstract: You were warned in 1997 that a not-too-distant future was approaching. This dystopian future is here now due to rapid technological advances, much quicker than we initially imagined. These breakthrough DNA technologies are exposing your deepest darkest secrets. Who can see this information? What will they do with this information? Little does anyone know they are only one data breach away from public exposure.

July 13, 2015

Speaking at the inaugural BioHacking Village (BHV) at DEF CON 23

I am excited to announce I’ll be speaking on DNA security at the inaugural BioHacking Village (BHV) at DEF CON 23 on August 6-9, 2015!  http://www.defconbiohackingvillage.org
Talk Title: Social implications of DNA acquisition & storage
Abstract:  The advent of rapid ‘Next-Generation’ DNA sequencing methods has greatly accelerated biological and medical discovery steering society into a paradigm shift, the genomic era, of personalized medicine. This trend promises an affordable insight into your personal genome potentially giving individual’s personal advantages. What information is hidden within a strand of DNA and what are implications of accessing this data? Will these rapid advancements enhance humanity without sacrificing ethics and personal exposure? Can society overcome challenges stemming from emerging technologies such as massive internet accessible databases and cloud storage?

March 21, 2015

Thank you Chappee Rapids Audubon Society

 

I was honored to have been presented with the Exceptional Service award last night by the Chappee Rapids Audubon Society!

Technology is important to local and regional nonprofit organizations for maintaining members, spreading news, and fighting challenges. While maintaining their twitter site, working on the website, and configuring their Google apps I’ve learned so much about birds and the community. I’m glad I could help the organization and ultimately the endangered bird populations! Please check out the Chappee Rapids Audubon Society website at http://craudubon.com 

Chappee Rapids Audubon Society - Exceptional Service Award

 

 

February 4, 2015

Thotcon Speaker

I’m pleased to announce I’ll be speaking at Chicago’s best hacking conference: THOTCON on May 14th and 15th 2015:

“GATTACA – Final Warning!”

Abstract: You were warned in 1997 that a not-too-distant future was approaching. This dystopian future is here now due to rapid technological advances, much quicker than we initially imagined. These breakthrough DNA technologies are exposing your deepest darkest secrets. Who can see this information? What will they do with this information? Little does anyone know they are only one data breach away from public exposure.

September 30, 2014

23andme – Real Gattaca Future of Medicine

Gattaca is a 1997 futuristic sci-fi thriller staring Ethan Hawke and Uma Thurman. The film presents a biopunk sci-fi vision of a future society driven by eugenics where potential children are conceived through genetic manipulation to ensure they possess the best hereditary traits of their parents. The movie focuses on Ethan Hawke overcoming genetic discrimination from the genetically modified “perfect combination of guanine, adenine, thymine, and cytosine” humans around him. DNA is everything in this world, from dating to job roles.

The movie is based on the premise of in “the not-too-distant future”, but flash into reality of 2014 and some could say we are already here. We have innovative companies like 23andme.com analyzing our DNA and guiding answers of the raw truth of health and ancestry information. Well, the healthcare information came to a stall in December 2013. 23andme.com was stopped by the Food and Drug Administration for giving too much information between providing scientific information and being a medical test.  In the meantime customers will still get ancestry data, be able to download their own raw data, and 23andMe will continue to use the data it collects for its own research. Regulatory review is in progress to define what direction the future will take on direct to consumer DNA results.

There is one loophole during the ongoing regulatory review which could take years, on ebay you can purchase 23andme DNA kits ordered prior to November 2013 that will grant you access to your DNA healthcare information. Most US consumers are waiting on the US government for decisions…

 

August 2, 2014

ENCRYPT – DECRYPT License Plates

Have you seen a Kia Spectra or Hummer H3 with Wisconsin license plates: ENCRYPT or DECRYPT driving around the Milwaukee area? Well, we’ll admit…that’s ours… we went completely Infosec / spy themed nerd crazy on our recent change to customized license plates. for our

encrypt / decrypt license plates

The credit for the idea of the spy themed plates came from Milwaukee’s most mysterious location: The Safe House Not sure what that is? check out the wiki of the famous restaurant & bar! They have on display Wisconsin license plates: Ncrypt & Dcrypt. When I was seeking possible clever choices for customized plates I saw Wisconsin now allows seven character plates and both were available.

HummerH3

 

July 17, 2014

Xbox Live 2002 Beta Tester Disc

Digging through my old discs, I found a old Xbox Live 2002 Beta Tester kit, with manuals, serial code, and beta disc! I recall 100,000 Xbox owners applied for the beta program and only 5,000 were selected by the Xbox Live marketing director! The first round of beta testers got a free online version of “NFL Fever” and the racing game “Re-Volt”!

Now in 2002, online service was nearly non-existent! Microsoft didn’t anticipate such a huge response of pent-up demand! Making it into the first round of beta testing was pretty low odds. Selection for the beta program was largely based on surveys sent by applicants that demonstrated a commitment to contributing to the beta program. People that could get feedback from, stress test the servers, and yell to all their friends how great Microsoft’s new online service was!

Now, Re-volt was a promising game for the Xbox back in 2002 during beta, the few thousand people who actually logged into their xbox live beta within the first week got to play the game before Acclaim canceled their plans to release an xbox version of Re-volt.

The demo included on the Beta starter kit is the only version available for microsoft’s system to this day. This created a collectors item! While supply is extremely low, demand is hard to gauge since the game is no longer playable online now that the xbox beta has long been over. Can pleasant memories of the xbox beta and the extreme rarity maintain some prolonged interested?

We’ll find out: http://www.ebay.com/itm/181457348895?ssPageName=STRK:MESELX:IT&_trksid=p3984.m1555.l2649