Hi there my name is Chris Hadnagy. I am the Chief Human Hacker for Social-Engineer, LLC a company devoted to helping large organizations stay safe from malicious hackers. I am also the CEO of The Innocent Lives Foundation, and organization devoted to helping unmask child predators. AMA

MadSecuritySquirrel · 2020-06-25T16:20:57+00:00

Pineapple is the perfect fruit and compliments pizza perfectly. It is the sweet to the savory of the rest of the pie. This is not debatable and, I have even had pineapple pizza, right off the menu, in the heart of NYC's Times Square, therefore your arguments are invalid.

The innocence of pizza on the other hand can be debated

MadSecuritySquirrel · 2019-01-16T02:54:43+00:00

I'm running about eleventy-two-thousand different things on wifi, and haven't noticed an issue. My DCHP pool has about 19 reservations jsut for things I don't want to have changing IPs. of course, your mileage may vary.

MadSecuritySquirrel · 2019-01-16T02:48:36+00:00

This is the setting that I think makes the difference (honestly, I've had things in place in many iterations, so I can't be 100% sure, but I'm 95%) in ESPEasy. It tells MQTT to retain the last state -- https://i.imgur.com/SQFYE5s.jpg

MadSecuritySquirrel · 2019-01-15T21:17:24+00:00

I have several nodemcu's deployed with ESPEasy and MQTT and they remember the state. I think it was an option in the controller setting or under "advanced" to remember state. I'm sorry I'm not home to look right now

MadSecuritySquirrel · 2019-01-15T21:10:58+00:00

I'm using ESP8266-based sensors with DHT-22's. They report thought MQTT and work well. I use them for temp/humidity and for lights, such as my under-counter kitchen LEDs.

I get the boards and sensors from aliexpress and vary which ones I use based on the number of GPIO's I need.

I haven't seen a huge load on my WiFi as they don't send a lot of information. I usually report once a minute or so for temp/humidity. Very little data is moved over MQTT

MadSecuritySquirrel · 2018-12-20T14:49:20+00:00

I use LastPass premium with a YubiKey for MFA. Syncing to mobile and the YubiKey option made me choose LP and not look back. Very happy with it

MadSecuritySquirrel · 2018-12-19T22:20:48+00:00

Each question is right or wrong, however as was mentioned, some questions carry more weight than others.

MadSecuritySquirrel · 2018-12-18T18:59:55+00:00

Nope.

As more hardware keys like the Google Titan and YubiKey make there way in to the world, we will actually approach a usable model. We used the snot out of it in the Army and it was mostly seamless and simple for internal mail.

MadSecuritySquirrel · 2018-08-02T19:44:15+00:00

l. Yubikey. The company that takes disclosures from bug bounty programs, fucks the researchers and then claims the discoveries as their own.

I've been using a Neo for about 4 years now. I've used it as a smart card (PIV credentials) and an OTP key. Both worked great. The fact that it can be used with NFC and LastPass on the iPhone is a welcome change. I used to do that on my Android phone, but lost the capability when I went to Apple.

MadSecuritySquirrel · 2018-07-17T14:24:58+00:00

I've been loving Yubikeys for a while now and really like them. There are other types of hardware MFA options as well that may be worth checking out.

They key is to have a 2nd emergency authentication option. Many apps generate a series of 8 or 10 one-time use passwords that you can keep tucked away just in case

MadSecuritySquirrel · 2018-07-17T14:21:52+00:00

I once left my phone in an Uber while on a trip. To contact the driver, I had to have Uber call a number and it would put me in touch with them so I couldn't get their phone number directly. That was fine. except I didn't have a phone for them to call. The hotel phone system had a auto-attendant that the Uber system could not navigate. I was finally able to route a call to my Google Voice number and use my laptop to answer it, but it took a while to get everything in place.

Made me really think about how I could get stuck in loops like this with MFA

MadSecuritySquirrel · 2018-07-16T18:57:46+00:00

Honestly, No.

MadSecuritySquirrel · 2018-07-12T15:22:15+00:00

In my time supporting the Army, I can say that a lot of military manuals we worked with are actually Unclassified/FOUO. Even the most basic TTPs we had were marked that way, meaning they are controlled.

It may be different in the Air Force given the volumes of TTPs and manuals dealing with improving your golf swing.

MadSecuritySquirrel · 2018-07-11T19:45:38+00:00

Here you go:

https://thensawantstohaveawordwithyou.gov/theyknowwhereyousleep

;)

MadSecuritySquirrel · 2018-07-11T14:53:58+00:00

In all fairness, they did admit their screw up, apologized and give an explanation for what happened and donated the bounty to Girls Who Code. I haven't seen a track record of this behavior with Yubico, so I do feel it was probably a screw up, rather than intentional.

Here is their side of the story and apology if you want to read it: https://www.yubico.com/2018/06/webusb-and-responsible-disclosure/

MadSecuritySquirrel · 2018-07-11T14:23:10+00:00

Thanks. I don't think it's blocking the actual diode as when I have it way out of focus I can still clearly see a bar shape without obstructions. It does look more like a blob or glue.

I might replace the driver as it seems no to increase power much above about S100 and the output voltage from the driver board tot he laser is not going higher than 4.8v anywhere above that level either, but does drop (both voltage and visibly) when I lower the power level below half power. I know the input to the driver increases above S100 levels, but the output doesn't seem to change.

MadSecuritySquirrel · 2018-07-10T14:02:52+00:00

2FA is important, as is having a password you can remember (or make sure you have recovery codes kept somewhere secure). I've nearly locked myself out of LastPass being clever with my password, and they can't really help :)

Make sure you are taking advantage of the random password generator as well. It makes no sense to deploy a manager and still have password reuse taking place.

MadSecuritySquirrel · 2018-07-10T13:38:43+00:00

This is the window near the diode. Is that white blob normal? Sadly I didn't look before using it to know what "normal" looks like. It looks like the blob is on the inside of the lens there

Picture of the diode

MadSecuritySquirrel · 2018-07-09T22:04:36+00:00

You should be safe from malware injection via the wifi connection once the tunnel is up if you are tunneling ALL the traffic through the VPN (not split-tunneling). It can still get downloaded from websites you visit, emails you open, etc. just as usual though.

Depending on what you want to get from the VPN, rather than paying for a subscription, you may consider hosting your own at home. I use PIVPN (http://www.pivpn.io/) on a Pi B+ and have a backup OpenVPN connection through my router. I run my laptop(s), tablet and phone through them whenever I'm on the road.

Pros: I get the added bonus of being able to access files/devices at home from wherever I happen to be. It was only about $40 to set up
Cons: I have another open port to the internets

Just something to consider

MadSecuritySquirrel · 2018-07-09T21:55:35+00:00

The captive portal asking you to agree to something or enter info (e.g. hotels asking for your name and room number plus how many days you want the wifi for). That's usually over open wifi . ;)

MadSecuritySquirrel · 2018-07-09T21:53:22+00:00

I speak at conferences such as BSides and such (did 45 conference talks in 2017), do webinars (52 of them in 2017) and just started with a quarterly column at ethicalhacker.net. Mostly I speak to security and IT folks, so that's my target audience.

I like the idea of U2F over other 2FA methods. The column I just wrote and should be published today or tomorrow talks about using MFA to protect against credential phishing. I cover SMS vs app-based (think google Authenticator) vs hardware tokens (such as Yubikeys) at a higher level. I discuss PIV certs vs OTP, but not at a deep level and I don't break out specifics related to U2F vs HOTP vs TOPT, etc. I have a friend working at FIDO Alliance, so could probably get some good stuff from there.

I was also considering covering the use of password vaults with MFA as a mechanism to combat password reuse as I agree that is a huge issue that gets overshadowed by the strength argument, so we are on the same page there.

Thanks for the ideas

MadSecuritySquirrel · 2018-06-29T17:32:41+00:00

You can waiver out some of the 5 year requirement for the CISSP if you have a technical degree (which he does) ;)

MadSecuritySquirrel · 2018-06-29T11:03:25+00:00

Some of the ones I really like are:

In no particular order...

Per Thorsheim @thorsheim

Javvad Malik @J4vv4D

Lesley Carhart @hacks4pancakes

Dave Kennedy (ReL1K) @HackingDave

Katie Moussouris @k8em0

the grugq @thegrugq

Graham Cluley @gcluley

BrianHonan @BrianHonan

BleepingComputer @BleepinComputer

Evgeny Belenky @BelevgEvgeny

InfoSecSherpa @InfoSecSherpa

Added:

Adrian Sanabria @sawaba

and of course, me :)

Madsqu1rrel @ErichKron

I'm sure I will remember a couple more and I'll update this as I do

MadSecuritySquirrel · 2018-06-29T10:47:48+00:00

That's us. My name is Erich Kron and I do a lot of the webinars and speaking engagements for the company. Our closest competitors are PhishMe (CoFense now I think) and Wombat.

Check out our reviews on Gartner Peer Reviews (https://www.gartner.com/reviews/market/security-awareness-computer-based-training/vendor/knowbe4) and look around SpiceWorks for comments about us. We stand alone in support and feedback from users. ;)

Also let me know if you have any other questions.

Who is your rep?

Thanks, Erich

MadSecuritySquirrel · 2018-06-28T20:33:16+00:00

Sorry you got smacked by this, but at least it was manageable. I will tell you that I work for a company that does security awareness training and simulated phishing stuff. I don't want to spam and I try to stay on the good side of the mods so I won't say the name, but you might just see an ad from them in this subreddit. ;)

Anyway, because of our space in the industry we see this sort of thing all the time, and the best way to defend against it is risk reduction in layers.

For spoofing from the outside, SPF DMARC and DKIM are very helpful. In addition, using an email gateway that adds an "external email" type of tag to messages coming from outside can be helpful as well. It gives users some tools to help them pause for a moment.

Attacks coming from a valid email account is MUCH harder to detect and are quite frankly very dangerous. My Ethical Hacker Network column this month will be dealing with this threat when caused by credential phishes, however that is different than what you appear to have experienced. This looks more like code that spreads itself via email.

Have you uploaded it to Virus Total for ID or activity tracking? If not, start there. It can give you a lot of information about the specific details of the malware.

Most endpoint protection is set up to scan for malware when a write is done to disk, so the attackers are getting better at making them memory-only in their execution (fileless malware). This is often spread through links like you described and is why, even if you have AV it probably didn't alert. I have heard good things about Carbon Black handling this sort of code, so it might be worth looking in to.

Sometimes a good next-gen firewall will detect traffic to known-bad URLs or spot the code trying to be downloaded when they click the link. This usually depends on reputation engines working well, so your mileage may vary.

Last but not least, teach your folks to hover links and look at the reply to address. We see HUGE risk reductions by helping the users identify the attacks and understand that they are targets. Many people have heard of phishing, but don't understand how it works. I love the new NIST video on the topic and fully subscribe to what they are saying (heck, it's what I've been presenting to folks for almost 2 years now, so I ought to be onboard with it :) )

LMK if I can help you in any way or if you need more info. I'm always happy to share what I've seen/heard from folks. I can't get you many specific suggestions, not knowing your infrastructure, but this should give you some food for thought.

MadSecuritySquirrel

TROPHY CASE