Successfully reported this slideshow.
Your SlideShare is downloading. ×

CompSec Direct Keynote-B-Sides-PR-2019

Loading in …3

Check these out next

1 of 48 Ad

More Related Content

Similar to CompSec Direct Keynote-B-Sides-PR-2019 (20)


Recently uploaded (20)

CompSec Direct Keynote-B-Sides-PR-2019

  1. 1. Who we are, where we started My company, CompSec Direct, started here in PR, renamed, rebranded but we always keep deep roots here as much as we can.
  2. 2. Who we are, where we started For example, here are some PR related efforts we have done to date: The Hacienda case, which I will discuss here today. Spillage of court cases in the Judicial Branch, some involving minors. Still unfixed. Shodan notices to the former CIO of exposed gov related systems. Fixed* subdomain submissions of open-data suggestions, pending. Aeronet Whitepages where the provider was providing SNMP information with customer names. Now fixed….
  3. 3. About Aeronet posting I had the privilege to work here for a few months, back in 2007. I am angry at people suggesting drama and taking away from the real problems. In Gino's case, he failed to recognize that if one of his former employees suddenly decides to communicate directly with him after not speaking for 11 years, maybe he should have listened….
  4. 4. What would you have done? Lets vote to see who is correct here
  5. 5. About accelerated disclosures, notifications and other contributions I'll ask you, as IT or non cyber related folks, how many time do you believe we have been thanked for our efforts? How many times have we been thanked publicly or credited for our efforts? zero 0
  6. 6. Thanks That is why I'm here today at Bsides PR for you, not them.
  7. 7. Oh boy… We are a conquered race We are good imitators; We adopted every conquering nations beliefs, ideals, customs and languages Our laws, our policies, our industries all started or originated somewhere else
  8. 8. Here we go… We are not good innovators Except for our GDP in artists, some notable scientists and doctors we have not innovated anything as a country with global impact where people know and say: This started from Puerto Rico, except reggaetón* (Started from Jamaican dance hall music)
  9. 9. Hard truths Truth hurts huh?
  10. 10. The imitation failures As good imitators, we struggle endlessly to correct Ineffective policies, ineffective government since we modeled ourselves as the US approved; like them
  11. 11. Imitation failure example One of the ways we imitate is the political arena and campaign funding, You see, future or existing politicians are nominated by political parties that raise funds
  12. 12. Imitation failure explained When in office, they cannot legally campaign or aid with resources (people, funds) as sworn members, since they now serve the country not the party*
  13. 13. Imitation failure based on relation to host country Since we imitate the campaign raising circus in the US, but don’t have 350M+ people, the campaigns cannot generate 100M dollars for re- election campaigns Thus there isn’t a financial gain here except for the promise of a trusted (confidant) position if elected, and perhaps direct contracting for professional services down the road since you helped.
  14. 14. Innovation suggestion: Match campaign funds to Education Department Innovation suggestion: Dollar of Dollar campaign funds to Dpt. Of Education. Yes, they will cheat and steal, but at least the money could be used for good... Maybe…
  15. 15. How this scenario is different in Federal / other States Here is the problem, I have more experience in the federal space submitting bids, proposal and similar experience at the state level in MD. Both of these have strict guidelines for fair- competition in bids, awards. With the exception of exigent/emergency contracts
  16. 16. How to do business with the PR government through reputation and past efforts PR is different, if you are well liked by a party, and offered services during the election process, you get preference somewhere in the process.
  17. 17. How this applied to us For us, I met the (US Person) USP0 during the pre- party nomination, Gave the 30 second pitch, and was directed to USP1. After a few months, we gave a presentation about providing secure comms during the election.
  18. 18. What is secure comms in relation to OPSEC and Tradecraft? Secure Comms being; Tradecraft+ training+ security measures = OPSEC Tradecraft is what you do OPSEC is how you address risk as a whole by effectively using tradecraft
  19. 19. Here is an excerpt of what exactly we offered Secure Communications & Devices Solution for 500 devices for 1 year (low six-figure sum) Includes physical, logical and user education trainings for 500 individuals Trainings done in person for groups of 20+ Trainings done via WebEx/Skype for all others HQ Security Review included Requires collaboration and support of users as well as full inventory of BYOD Malicious Insiders Prevention and Detection for 1 year – (low six-figure sum) Includes unique document tagging and encryption solutions Secure Social Media and Web presence for 1 year (low five-figure sum)
  20. 20. Why this was never finalized Sadly, this was not picked up. And thus I departed PR and starting working CONUS. Campaigns have a limited budget which is focused on advertising
  21. 21. #DFWO : Don’t Forget we offered Now here is the interesting part. USP0 was forced to resign from lack of secure comms. Now, no amount of encryption can prevent someone else from correlating what you wrote if shared with someone else.
  22. 22. The Old School Politician remembers the past, GenX and Millennials are more tech focused In fact, the older generation of politicians understand that "we are doomed to what we write, not what we say". They don’t trust electronic communications as much as my generation and Gen X'ers since they lived wire-tapping era, “carpeteo”, frankly, nobody truly understands how digital becomes distributed. Risk > Convenience
  23. 23. Errors related to lack of secure comms In this case, USP0 made four critical mistakes that could have almost been prevented: 1. Wrote derogatory statements related to prejudice, discrimination, humiliated fragile social-groups and implicated himself and his cabinet in multiple ethics and criminal acts a. Technology cannot change or improve your culture, upbringing or habits 2. Did so in a group setting without compartmentalizing information a. Almost like talking to intimate friends 3. Publicly attacked a member of said group, USP3 a. By raising conflicts of interest claims related to son, USP4 4. Admitted publicly to the authenticity of transcripts a. A big no-no in politics.
  24. 24. If you surround yourself with amateurs…. Despite being surrounded by lawyers, no one ever stated to USP0 that: "hey bro, WTF are you doing here???" Perhaps something that secure comms oversight could have addressed.
  25. 25. Methodology for attribution of suspected leaker But wait, are you saying USP4 did this; well here is methodology: 1. Correlate end date of transcripts against members of group, including close- associations 2. Search endi / elvocero for things that happened around that time related to politics 3. One thing really stands out
  26. 26. Whistleblower laws as they apply to contractors Criminal whistleblower laws in federal space protects government officials > government contractors I know this personally because I have had employment terminated (by employer, not gov) after raising concerns as a contractor. In my case, I followed the process; aka a reverse-Edurado-Snowfall Eduardito, you should really go back and clear out your desk, that says a lot about you.
  27. 27. MMO for criminal cases explained in plain Puertorican… Now, USP4 is perhaps liable for a conspiracy amongst other charges. Means: "Chiko technico" means has knowledge of IT Motive: Publicly part of nepotism case with state contracts via government/contractor relationship Opportunity: "Papi, prestame aca y yo bajo to eso a PDF y se lo doy a CPI" This is now subject to some form of merit because USP3 made public statements about technical knowledge of USP4.
  28. 28. On why you should never out yourself on something at this scale…. That being said, no public statements of admission from USP4. “He's crude, but he's crafty" Mutually-assured destruction via pyric victory. As they say, "STFU and get a lawyer" "He's not the hero we wanted, but the one you got" Which now adds to the corruption narrative in the US, by virtue of reality.
  29. 29. Innovation suggestion Innovation suggestion: Whistleblower protection laws for also apply to contractors. All in all, effective tradecraft is tantamount in any organization. #DFWO Privacy Screen = Mobile and laptop Disable GPS = Minor annoyance Disable wifi when not in use = slightly annoying Disable bluetooth = moderately annoying Disable Cell = Very Annoying Don't take phone = Wow, so pay phones?
  30. 30. On the Hacienda case: Day 1 Now, back in 2017, USP1 and I talk. I hear about ransomware in Treasury Department, and was asked to get involved. By the time my flight landed, we get some PR action…. Interesting… an unusual…. By the time I make it to Dpt Treasury, it was very late, many IT staff are visibly tired. I am briefed, I ask the staff to prep written statements to they can start getting their stories straight, and depart late in the evening. Guess what, no one did written statements <shocker> so I can't even get a good grasp at what everyone had done until that point. Everyone is tired and no one works over time from home. One thing we did suggest; pay the ransom.
  31. 31. On the Hacienda case: It could have been prevented but it was too late Not only was Dpt of Treasury breached; through brute-force of a public facing service, it affected the backups as well. The staff involved for IT was professional, knowledgeable and obviously concerned with the incident. To my surprise, every time I asked for something besides statements, they were diligent in ensuring my requests were being acted on.
  32. 32. On the Hacienda case: If, Else, Finally… At the time, ransom for decrypt backups was less than $1,300. To them, this seemed like an impossible option. I suggested to one contractor, UNUSP1, to try and decrypt one file from said backup solution to test if this was even possible. When you get hacked, ransomed, and have no alternatives; you pay the ransom since Recovery Time Objectives (RTO) for businesses trumps everything. Us talking about what to do next, cost over $1,300 so I reminded them of this fact.
  33. 33. On the Hacienda case: A case for hack naked? Oddly enough, UNUSP1, was not able to accomplish this; which personally seems odd. You see, no one ransoms anything if they cannot make money. The service was up according to UNUSP1, but the statement "maybe it was a dependency of the victim system for bilateral communications that simply caused it to fail" was odd. Communications with the ransomware operators also provided "no communications established the next day". However, since we had not been officially contracted to perform malware analysis, we did not. Instead, I uploaded the "alleged" ransomware virus into Virus Total on March 7, 2017. You may say, upload the hash, not the file. That depends on what side of the fence your on. More on that later…
  34. 34. On the Hacienda case: The malware We are sharing this after the conclusion of the event by providing an indirect link.
  35. 35. On the Hacienda case: Day 2 By the second day, I re-experienced a common situation when this scenario happens, the system experts, which until the day of the incident had normal responsibilities, day to day duties and obligations, suddenly became engaged forensicators with investigative responsibilities; that was our job. I reminded the team that the situation was not contained, they needed to focus efforts on remediation first and help us collect artifacts of evidence of the crime for us to analyze; not them. Another common occurrence during this scenario is talks related to budget, which serves no purpose during a time sensitive situation like this. At one point, I had to re-address marching orders, since the suggested plan by USP5 was not necessary for purposes of containment.
  36. 36. On the Hacienda case: It always sucks when it happens to you USP5 had the recently started this position. This is a normal occurrence between government as new elected officials place individuals of trust into government offices. This is why Ben Carson, a neurosurgeon by trade, is in charge of HUD.???? He inherited all of these problems prior to starting and less than 3 months is not sufficient time to get a grasp on even what your environment is.
  37. 37. On the Hacienda case: Resist customer bias when conducting investigations Let's take a break here on memory lane, whenever I approach any situation involving LE, I think of the movie "Rising Sun". In the film, the protagonist use digital video evidence to help solve a murder case in Japan. Much like the movie, the IT department at Hacienda presented some initial evidence, potential suspects and MMO. Somethings seemed the result of causality, others pure luck, others "very interesting timing". As an IR person, you have to resist your customer bias, opinions and statements and collect the entirety of evidence you can to support any claims. This is difficult when you are not LEO, and you are being paid by a customer.
  38. 38. On the Hacienda case: Resist customer bias when conducting investigations During our involvement, we provided strategic leadership advisory during the first days for the IR. This resulted in actions with consequences: 1. We brought some systems back online vs forensicating. 2. We provided questions and action plans for the government to ask and do. 3. We provided oversight to the battle plan 4. We briefed the director of Hacienda and the FBI All under less than 3 days.
  39. 39. On the Hacienda case: On impostor syndrome As I reflect on this event, I felt I was unprepared to accomplish what we were asked to do based on scope, almost like pre-engagement jitters. Those immediately went away the more I talked with the staff, not because of they didn't know what they were doing, but because I have done this before, in a larger scale, with less options. I knew I was in the right place by then.
  40. 40. On the Hacienda case: Ingles con fronteras Now, for us, we did not sign contracts or agreements with the government to formally do any work. The reason still baffles me, our NDA had jurisdiction in Maryland, which the government rightfully refused, but more so; the document was in English? How can a country that is attempting statehood claim such a thing? To date, I have no regrets as to not jumping in head first in this engagement.
  41. 41. On the Hacienda case: As a small company, your capped by your “warchest” A few weeks earlier, PR announced bankruptcy and I had no expectations of being paid in a timely manner. For us, we have native islanders that would have assisted us during the IR, but we don't have that capital to pay our staff when it could have taken X months to be paid. So as I'm finalizing this contract, I had a gut feeling that we simply can accomplish this IR, but I had no idea when we would get paid, so I said no to the IR, and instead suggested we do a case study and in the mean time, address language and contract barriers that we as a small company faced.
  42. 42. On the Hacienda case: Hurricane relief efforts > the cybers… Maria changed everything. As I was trying to maintain good relationships with USP1, it became clear to me that I did have impact on the IR and other efforts. Sadly, priorities change, so does staff. I don't have the same relationship with the current CIO, but I would like to.
  43. 43. On the Hacienda case: Well, it’s almost like you paid for it indirectly, so it’s yours This case study sadly was never purchased, lucky for you, we are providing a redacted version of the case study tonight after the event on our site. The link will only work from PR IP space for the first week, and then becomes public to all visitors. Password to get inside is: <so secure jose……>Yes</so secure jose……> We are also providing adaptable parts of the questionnaire used during the IR in hopes of getting more C suite visibility on things they can do prior and during an IR. Personally, I really tried to have Hacienda look over the redacted version. ¯_(ツ)_/¯ Our case study was evaluated by a staff member at Hacienda, which commended our case study in relation to other deliverables.
  44. 44. On the Hacienda case: Closing thoughts Since this event was essentially caused by poor change management and poor preventative actions, we can expect this to continue happening. Since then, at least 4 more government agencies have been breached. To date, neither the FBI or Hacienda have ever reached out to us for further assistance. However, they're dependence on non-cyber focused companies continues to grow based on practical needs for PR. They don’t have to be secure, they simply need to improve the quality of life for citizens. Placing a Fortinet, (im sorry, you’re a sponsor but ¯_(ツ)_/¯ ) , does not solve for: any-any rules.
  45. 45. The appearance of PR on the Net We are a susceptible country on the net. The biggest challenge cyber security has is also stemmed from the same problem security has in general; it produces zero income. The next problems are simply based on awareness of issues and willingness to adopt measures to reduce risk. How can we change that?
  46. 46. Let’s actually be innovators for once We need to change the way government operates. For example, we have an unemployed labor force with some knowledge of IT. We can build a non-profit to help organize the labor pool, provide opportunities to defend and improve gov networks and at the same time pay the participants for their efforts. Im not talking about making Hacker1 or a bug-bounty, Not That, I'm taking about making this a thing in PR where we can build a vetted pool of defenders similar to our National Guard. None of the existing companies already embedded in gov can improve the problem, since they essentially made the problems, you need a third party. This can be done, Glorimar, I'm serious about this. We need to protect ourselves and improve opportunities for those that still live here. If your part of those companies, we want to help your staff become better so they don't accidentally cause these problems. We don’t want your jobs, we want to help you be better at it.
  47. 47. Gracias Enjoy the event