CompSec Direct Keynote-B-Sides-PR-2019

Who we are, where we started
My company, CompSec Direct,
started here in PR, renamed,
rebranded but we always keep
deep roots here as much as we
can.

Who we are, where we started
For example, here are some PR related efforts we have done to date:
The Hacienda case, which I will discuss here today.
Spillage of court cases in the Judicial Branch, some involving minors. Still unfixed.
Shodan notices to the former CIO of exposed gov related systems. Fixed*
Data.pr.gov subdomain submissions of open-data suggestions, pending.
Aeronet Whitepages where the provider was providing SNMP information with customer names. Now fixed….

About Aeronet posting
I had the privilege to work here for a few months, back in 2007.
I am angry at people suggesting drama and taking away from the real
problems.
In Gino's case, he failed to recognize that if one of his former
employees suddenly decides to communicate directly with him after
not speaking for 11 years,
maybe he should have listened….

What would you have done?
Lets vote to see who is correct here
https://pollev.com/jf484

About accelerated disclosures, notifications and other contributions
I'll ask you, as IT or non cyber related folks, how
many time do you believe we have been
thanked for our efforts?
How many times have we been thanked publicly
or credited for our efforts?
zero
0https://pollev.com/jf484

Thanks
That is why I'm here today at Bsides PR
for you, not them.

Oh boy…
We are a conquered race
We are good imitators;
We adopted every conquering nations beliefs, ideals, customs and languages
Our laws, our policies, our industries all started or originated somewhere else

Here we go…
We are not good innovators
Except for our GDP in artists, some
notable scientists and doctors
we have not innovated anything as
a country with global impact where
people know and say:
This started from Puerto Rico,
except reggaetón*
(Started from Jamaican dance hall music)

Hard truths
Truth hurts huh?

The imitation failures
As good imitators, we struggle endlessly to
correct Ineffective policies, ineffective
government since we modeled ourselves as the
US approved; like them

Imitation failure example
One of the ways we imitate is the political
arena and campaign funding,
You see, future or existing politicians are
nominated by political parties that raise funds

Imitation failure explained
When in office, they cannot legally campaign or
aid with resources (people, funds) as sworn
members, since they now serve the country
not the party*

Imitation failure based on relation to host country
Since we imitate the campaign raising circus in
the US, but don’t have 350M+ people, the
campaigns cannot generate 100M dollars for re-
election campaigns
Thus there isn’t a financial gain here except for
the promise of a trusted (confidant) position if
elected, and perhaps direct contracting for
professional services down the road since you
helped.

Innovation suggestion: Match campaign funds to Education Department
Innovation suggestion: Dollar of Dollar campaign
funds to Dpt. Of Education.
Yes, they will cheat and steal, but at least the money
could be used for good...
Maybe…

How this scenario is different in Federal / other States
Here is the problem, I have more experience in the
federal space submitting bids, proposal and similar
experience at the state level in MD.
Both of these have strict guidelines for fair-
competition in bids, awards.
With the exception of exigent/emergency contracts

How to do business with the PR government through reputation and past efforts
PR is different, if you are well liked by a party, and
offered services during the election process,
you get preference somewhere in the process.

How this applied to us
For us, I met the (US Person) USP0 during the pre-
party nomination,
Gave the 30 second pitch, and was directed to USP1.
After a few months, we gave a presentation about
providing secure comms during the election.

What is secure comms in relation to OPSEC and Tradecraft?
Secure Comms being;
Tradecraft+ training+ security measures = OPSEC
Tradecraft is what you do
OPSEC is how you address risk as a whole by
effectively using tradecraft

Here is an excerpt of what exactly we offered
Secure Communications & Devices Solution for 500 devices for 1 year
(low six-figure sum)
Includes physical, logical and user education trainings for 500 individuals
Trainings done in person for groups of 20+
Trainings done via WebEx/Skype for all others
HQ Security Review included
Requires collaboration and support of users as well as full inventory of BYOD
Malicious Insiders Prevention and Detection for 1 year – (low six-figure
sum)
Includes unique document tagging and encryption solutions
Secure Social Media and Web presence for 1 year (low five-figure sum)

Why this was never finalized
Sadly, this was not picked up.
And thus I departed PR and starting working CONUS.
Campaigns have a limited budget which is focused on advertising

#DFWO : Don’t Forget we offered
Now here is the interesting part.
USP0 was forced to resign from lack of secure comms.
Now, no amount of encryption can prevent someone else from
correlating what you wrote if shared with someone else.

The Old School Politician remembers the past,
GenX and Millennials are more tech focused
In fact, the older generation of politicians understand that
"we are doomed to what we write, not what we say".
They don’t trust electronic communications as much as my generation
and Gen X'ers since they lived wire-tapping era, “carpeteo”,
frankly, nobody truly understands how digital becomes distributed.
Risk > Convenience

Errors related to lack of secure comms
In this case, USP0 made four critical mistakes that could have almost been prevented:
1. Wrote derogatory statements related to prejudice, discrimination, humiliated fragile
social-groups and implicated himself and his cabinet in multiple ethics and criminal acts
a. Technology cannot change or improve your culture, upbringing or habits
2. Did so in a group setting without compartmentalizing information
a. Almost like talking to intimate friends
3. Publicly attacked a member of said group, USP3
a. By raising conflicts of interest claims related to son, USP4
4. Admitted publicly to the authenticity of transcripts
a. A big no-no in politics.

If you surround yourself with amateurs….
Despite being surrounded by lawyers, no one ever stated to USP0 that:
"hey bro, WTF are you doing here???"
Perhaps something that secure comms oversight could have addressed.

Methodology for attribution of suspected leaker
But wait, are you saying USP4 did this; well here is methodology:
1. Correlate end date of transcripts against members of group, including close-
associations
2. Search endi / elvocero for things that happened around that time related to politics
3. One thing really stands out

Whistleblower laws as they apply to contractors
Criminal whistleblower laws in federal space protects government officials > government
contractors
I know this personally because I have had employment terminated (by employer, not
gov) after raising concerns as a contractor.
In my case, I followed the process; aka a reverse-Edurado-Snowfall
Eduardito, you should really go back and clear out your desk, that says a lot about you.

MMO for criminal cases explained in plain Puertorican…
Now, USP4 is perhaps liable for a conspiracy amongst other charges.
Means: "Chiko technico" means has knowledge of IT
Motive: Publicly part of nepotism case with state contracts via government/contractor
relationship
Opportunity: "Papi, prestame aca y yo bajo to eso a PDF y se lo doy a CPI"
This is now subject to some form of merit because USP3 made public statements about
technical knowledge of USP4.

On why you should never out yourself on something at this scale….
That being said, no public statements of admission from USP4.
“He's crude, but he's crafty" Mutually-assured destruction via pyric victory.
As they say, "STFU and get a lawyer"
"He's not the hero we wanted, but the one you got"
Which now adds to the corruption narrative in the US, by virtue of reality.

Innovation suggestion
Innovation suggestion: Whistleblower protection laws for also apply to contractors.
All in all, effective tradecraft is tantamount in any organization. #DFWO
Privacy Screen = Mobile and laptop
Disable GPS = Minor annoyance
Disable wifi when not in use = slightly annoying
Disable bluetooth = moderately annoying
Disable Cell = Very Annoying
Don't take phone = Wow, so pay phones?

On the Hacienda case: Day 1
Now, back in 2017, USP1 and I talk.
I hear about ransomware in Treasury Department, and was asked to get involved.
By the time my flight landed, we get some PR action…. Interesting… an unusual….
By the time I make it to Dpt Treasury, it was very late, many IT staff are visibly tired.
I am briefed, I ask the staff to prep written statements to they can start getting their
stories straight, and depart late in the evening.
Guess what, no one did written statements <shocker> so I can't even get a good grasp at
what everyone had done until that point.
Everyone is tired and no one works over time from home.
One thing we did suggest; pay the ransom.

On the Hacienda case: It could have been prevented but it was too late
Not only was Dpt of Treasury breached; through brute-force of a public facing service,
it affected the backups as well.
The staff involved for IT was professional, knowledgeable and obviously concerned with
the incident.
To my surprise, every time I asked for something besides statements, they were diligent
in ensuring my requests were being acted on.

On the Hacienda case: If, Else, Finally…
At the time, ransom for decrypt backups was less than $1,300.
To them, this seemed like an impossible option.
I suggested to one contractor, UNUSP1, to try and decrypt one file from said backup
solution to test if this was even possible.
When you get hacked, ransomed, and have no alternatives; you pay the ransom since
Recovery Time Objectives (RTO) for businesses trumps everything.
Us talking about what to do next, cost over $1,300 so I reminded them of this fact.

On the Hacienda case: A case for hack naked?
Oddly enough, UNUSP1, was not able to accomplish this; which personally seems odd.
You see, no one ransoms anything if they cannot make money.
The service was up according to UNUSP1, but the statement "maybe it was a
dependency of the victim system for bilateral communications that simply caused it to
fail" was odd.
Communications with the ransomware operators also provided "no communications
established the next day".
However, since we had not been officially contracted to perform malware analysis, we
did not.
Instead, I uploaded the "alleged" ransomware virus into Virus Total on March 7, 2017.
You may say, upload the hash, not the file.
That depends on what side of the fence your on. More on that later…

On the Hacienda case: The malware
We are sharing this after the conclusion of the event by providing an indirect link.

On the Hacienda case: Day 2
By the second day, I re-experienced a common situation when this scenario happens, the
system experts, which until the day of the incident had normal responsibilities, day to
day duties and obligations, suddenly became engaged forensicators with investigative
responsibilities; that was our job.
I reminded the team that the situation was not contained, they needed to focus efforts
on remediation first and help us collect artifacts of evidence of the crime for us to
analyze; not them.
Another common occurrence during this scenario is talks related to budget, which serves
no purpose during a time sensitive situation like this.
At one point, I had to re-address marching orders, since the suggested plan by USP5 was
not necessary for purposes of containment.

On the Hacienda case: It always sucks when it happens to you
USP5 had the recently started this position. This is a normal occurrence between
government as new elected officials place individuals of trust into government offices.
This is why Ben Carson, a neurosurgeon by trade, is in charge of HUD.????
He inherited all of these problems prior to starting and less than 3 months is not
sufficient time to get a grasp on even what your environment is.

On the Hacienda case: Resist customer bias when conducting investigations
Let's take a break here on memory lane, whenever I approach any situation involving LE,
I think of the movie "Rising Sun".
In the film, the protagonist use digital video evidence to help solve a murder case in
Japan.
Much like the movie, the IT department at Hacienda presented some initial evidence,
potential suspects and MMO.
Somethings seemed the result of causality, others pure luck, others "very interesting
timing".
As an IR person, you have to resist your customer bias, opinions and statements and
collect the entirety of evidence you can to support any claims.
This is difficult when you are not LEO, and you are being paid by a customer.

On the Hacienda case: Resist customer bias when conducting investigations
During our involvement, we provided strategic leadership advisory during the first days
for the IR. This resulted in actions with consequences:
1. We brought some systems back online vs forensicating.
2. We provided questions and action plans for the government to ask and do.
3. We provided oversight to the battle plan
4. We briefed the director of Hacienda and the FBI
All under less than 3 days.

On the Hacienda case: On impostor syndrome
As I reflect on this event, I felt I was unprepared to accomplish what we were asked to
do based on scope, almost like pre-engagement jitters.
Those immediately went away the more I talked with the staff, not because of they
didn't know what they were doing, but because I have done this before, in a larger scale,
with less options.
I knew I was in the right place by then.

On the Hacienda case: Ingles con fronteras
Now, for us, we did not sign contracts or agreements with the government to formally
do any work.
The reason still baffles me, our NDA had jurisdiction in Maryland, which the government
rightfully refused, but more so;
the document was in English?
How can a country that is attempting statehood claim such a thing?
To date, I have no regrets as to not jumping in head first in this engagement.

On the Hacienda case: As a small company, your capped by your “warchest”
A few weeks earlier, PR announced bankruptcy and I had no expectations of being paid
in a timely manner.
For us, we have native islanders that would have assisted us during the IR, but we don't
have that capital to pay our staff when it could have taken X months to be paid.
So as I'm finalizing this contract, I had a gut feeling that we simply can accomplish this IR,
but I had no idea when we would get paid, so I said no to the IR, and instead suggested
we do a case study and in the mean time, address language and contract barriers that we
as a small company faced.

On the Hacienda case: Hurricane relief efforts > the cybers…
Maria changed everything.
As I was trying to maintain good relationships with USP1, it became clear to me that I did
have impact on the IR and other efforts.
Sadly, priorities change, so does staff.
I don't have the same relationship with the current CIO, but I would like to.

On the Hacienda case: Well, it’s almost like you paid for it indirectly, so it’s yours
This case study sadly was never purchased, lucky for you, we are providing a redacted
version of the case study tonight after the event on our site.
The link will only work from PR IP space for the first week, and then becomes public to all
visitors.
Password to get inside is: <so secure jose……>Yes</so secure jose……>
We are also providing adaptable parts of the questionnaire used during the IR in hopes of
getting more C suite visibility on things they can do prior and during an IR.
Personally, I really tried to have Hacienda look over the redacted version. ¯_(ツ)_/¯
Our case study was evaluated by a staff member at Hacienda, which commended our
case study in relation to other deliverables.

On the Hacienda case: Closing thoughts
Since this event was essentially caused by poor change management and poor
preventative actions, we can expect this to continue happening.
Since then, at least 4 more government agencies have been breached.
To date, neither the FBI or Hacienda have ever reached out to us for further assistance.
However, they're dependence on non-cyber focused companies continues to grow
based on practical needs for PR.
They don’t have to be secure, they simply need to improve the quality of life for citizens.
Placing a Fortinet, (im sorry, you’re a sponsor but ¯_(ツ)_/¯ ) , does not solve for:
any-any rules.

The appearance of PR on the Net
We are a susceptible country on the net.
The biggest challenge cyber security has is also stemmed from the same problem
security has in general;
it produces zero income.
The next problems are simply based on awareness of issues and willingness to adopt
measures to reduce risk.
How can we change that?

Let’s actually be innovators for once
We need to change the way government operates.
For example, we have an unemployed labor force with some knowledge of IT.
We can build a non-profit to help organize the labor pool, provide opportunities to defend and improve
gov networks and at the same time pay the participants for their efforts.
Im not talking about making Hacker1 or a bug-bounty, Not That, I'm taking about making this a thing in PR
where we can build a vetted pool of defenders similar to our National Guard.
None of the existing companies already embedded in gov can improve the problem, since they essentially
made the problems, you need a third party.
This can be done, Glorimar, I'm serious about this. We need to protect ourselves and improve
opportunities for those that still live here.
If your part of those companies, we want to help your staff become better so they don't accidentally cause
these problems. We don’t want your jobs, we want to help you be better at it.

CompSec Direct Keynote-B-Sides-PR-2019

More Related Content

What's hot

Similar to CompSec Direct Keynote-B-Sides-PR-2019

Recently uploaded

CompSec Direct Keynote-B-Sides-PR-2019