Stilgherrian (@stilgherrian)

Wentworth Falls NSW AU

The below is an off-site archive of all tweets posted by @stilgherrian ever

October 24th, 2013

@Mayav Ah, yes, I’ve done a lot of radio work over the years, and have been on @RNmediareport a few times now. It was a good piece today.

via Janetter for Mac in reply to Mayav

RT @RobertWinkel: @snare talking about otters or something pic.twitter.com/NX3YTNSVOW [I’m so glad someone caught this image.]

via Janetter for Mac

@franksting @_chesty @Mayav @RNmediareport Sad but true, though the “download” link is an MP3. As is the podcast. There’s the ABC app too.

via Janetter for Mac in reply to franksting

RT @Steve_Lockstep: Gold: @richardaedy on @RNmediareport tells @stilgherrian “you do not have a subdued personality” [Yes, I LOLed.]

via Janetter for Mac

Yes, @Mayav @_chesty, that was me on the radio around 1745. On @RNmediareport. The audio is at abc.net.au/radionational/…

via Janetter for Mac

@smperris Well yes, that’s kinda my point. “The government” covers many things.

via Janetter for Mac in reply to smperris

That always sounds more mysterious than it actually is.

via Janetter for Mac

I missed to the official Breakpoint party. I had an interesting dinner with a security vendor chap and a chap from the government.

via Janetter for Mac

And Breakpoint Day 1 is over (apart for the party from 1900 AEDT).

via Janetter for Mac

RT @kcarruthers: @stilgherrian I AM NOT FAXING ANYTHING FOR YOU EVER AGAIN!!!! [This is good advice, people. Listen to Kate.]

via Janetter for Mac

I do like “the one and only @stilgherrian”, @richardaedy.

via Janetter for Mac

richardaedy Minutes away from @RNmediareport - with @sedvitae, Di Thomas of @bordermail & the one and only @stilgherrian

via Twitter for iPhone (retweeted on 5:32 PM, Oct 24th, 2013 via Janetter for Mac)

RT @shipw: Memory capture 101 as @snare segues from pugs to otters [Yes, this is a good summary.]

via Janetter for Mac

On this week’s @RNmediareport I talk about my @Pozible crowdfunded journalism project. Today 1730, podcast to come at abc.net.au/radionational/…

via Janetter for Mac

OK, this is not tweetable stuff yet. Interesting, but impossible to summarise on the fly.

via Janetter for Mac

His talk is really about memory capture and “tepid reboots” and capturing memory via UEFI BIOS.

via Janetter for Mac

Next up, “The Mathematics of Wonton Burrito Meals” [!] with @snare. ruxconbreakpoint.com/speakers/#Snare

via Janetter for Mac

That was a fast zoom through all manner of stuff at a deeper level than could be tweeted. Just look out for @aaronportnoy’s material.

via Janetter for Mac

@moldor I am fairly sure that you will see this dissertation in the not too distant future.

via Janetter for Mac in reply to moldor

I’ll be taking actual photos tomorrow.

via Janetter for Mac

RT @darrenpauli: .@beist at ow.ly/i/3vSSZ [Today’s lesson: don’t leave this man alone with your television.]

via Janetter for Mac

“The Unauthorised Rules For Doing Business In Australia”, writes @Colgo. I approve. businessinsider.com.au/the-unauthoris…

via Janetter for Mac

shipw When @i0n1c says “so I poked around in the kernel a bit” I’m thinking “a bit” translates to weeks of mortal time

via Echofon (retweeted on 3:15 PM, Oct 24th, 2013 via Janetter for Mac)

@moldor That part I knew. Today I learned in quite some detail exactly how dumb Smart TVs are. And they are very dumb indeed.

via Janetter for Mac in reply to moldor

@troyhunt @nickstugr I don’t disagree. That’s why I’m feeling suitably chastened by @chrisbrownie. I know how much of a bad man I am. :/

via Janetter for Mac in reply to troyhunt

RT @alex_gaynor: What. The. Fuck. Is. Wrong. With. Our. Industry. eventbrite.com/event/89383939… [Oh FFS! HT @gattaca]

via Janetter for Mac

@snare Hah! Yeah, I’d got THAT part. Butt he furthest I’ve gone down this rabbit-hole is compiling custom-config Linux kernels and GRUB.

via Janetter for Mac in reply to snare

@nickstugr @chrisbrownie Thanks very much. I’ve seen StartSSL’s name around for ages, and @troyhunt’s no fool. Appreciated.

via Janetter for Mac in reply to nickstugr

@chrisbrownie Any you’d recommend? To be honest, I’d assumed that “free” SSL certs were a scam of some sort.

via Janetter for Mac in reply to chrisbrownie

This week’s ABC @RNmediareport includes a chat with me about my @Pozible crowdfunded journalism project. abc.net.au/radionational/…

via Janetter for Mac

Yeah, had to deal with a phone message early up during the presentation, so I’ve lost the thread.

via Janetter for Mac

So @i0n1c begins. If I start losing the plot here, which is likely, I’ll take a brief break to deal with some phone calls and suchlike.

via Janetter for Mac

@chrisbrownie I wish I could argue against this proposition right now.

via Janetter for Mac in reply to chrisbrownie

Next up, “Advanced iOS Kernel Debugging for Exploit Developers” by @i0n1c, which I suspect will drill too deep for me.

via Janetter for Mac

The presentation is getting into deep technical details now, and I’ve been distracted by a phone call. Oops.

via Janetter for Mac

@chrisbrownie I know. No-one ever uses the web interface anyway. No-one ever checks certs either.

via Janetter for Mac in reply to chrisbrownie

Is this wormable? FireEye claims 30% market share in the Top 100 companies. Make malware that sends N rehashed copies of itself.

via Janetter for Mac

There are ways of setting up a loop so the malware replicates and you get a 2^n exponential rise in processor load after n loops.

via Janetter for Mac

To mitigate this, you could have a separate dedicated internet connection for connecting back from the sandbox. But, still problems…

via Janetter for Mac

That means you’re giving a shell to your attacker inside your DMZ for five minutes, which JB says is “really dumb”.

via Janetter for Mac

Another problem is that the malware is still allowed to connect back to the internet, at least in default mode.

via Janetter for Mac

JB says there’s no third-party assessment done by security community, and a lack of top-level talent at FireEye. [No punches pulled!]

via Janetter for Mac

That said, JB acknowledges that FireEye was first to market and market leader, so respect for that.

via Janetter for Mac

“Does anyone here work for FireEye?” asks JB. A hand is raised. “Sorry mate.” FireEye response, “Hey it’s nothing personal.”

via Janetter for Mac

The malware just starts by sleeping for 5 minutes until the malware detection gives up due to limited resources.

via Janetter for Mac

The analysis of the Adobe sandox hack e.g. by FireEye is “complete bullshit” says JB. He has a better theory of what’s happening.

via Janetter for Mac

2013 trends: AV is a thing of the past. It’s about sandboxing and behaviour analysis. Then Adobe’s sandbox gets hacked this year.

via Janetter for Mac

“Does anyone work in anti-virus?” @bigmac from @avgaunz raises a hand. “It’s fucking bullshit,” says JB, “You are the victim today.”

via Janetter for Mac

Sandboxing? “WTF is the AV industry going? Well I’m not so sure any more.”

via Janetter for Mac

Next up, “Malware, Sandboxing and You: How Enterprise Malware and 0day Detection is About To Fail (Again)” with Jonathan Brossard.

via Janetter for Mac

And we’re back after lunch, covering Day 1 of Breakpoint. ruxconbreakpoint.com Mute the tag to avoid my many tweets.

via Janetter for Mac

Now it’s clear that a Mom and Pop shop doesn’t need weaponised ebola. Is an 0-day the same thing, with no “legitimate” uses?

via Janetter for Mac

The question arises, how do you decide which malware is 100% bad and should be banned or regulated, and what’s “dual use”.

via Janetter for Mac

Academic literature is drifting towards something like the Wassenaar Arrangement as a model. en.wikipedia.org/wiki/Wassenaar…

via Janetter for Mac

The economics academic literature had all sorts of stuff on how we might regular this sort of market.

via Janetter for Mac

Prices going up, not down, because it’s noa “perfect” (transparent) market, and used to traditional “weapons of national power” markets

via Janetter for Mac

Since malware cycles are faster, governments would want to stop prices escalating, but they’re not acting that way.

via Janetter for Mac

With malware markets, there’s more emphasis on the knowledge rather than the thing itself.

via Janetter for Mac

I haven’t been tweeting this session because it’s more discursive (and fast and witty!) but I’m recording and can summarise later.

via Janetter for Mac

@michaelneale We’re not up to the answer to that question yet. We’re still backgrounding historical models for the global arms markets.

via Janetter for Mac in reply to michaelneale

Markets are for good and services. Weapons systems are usually provided as goods. You don’t want to outsource running ICBMs.

via Janetter for Mac

Currently the market for 0-days and digital weapons is being handled the same day, with high prices being paid.

via Janetter for Mac

Traditional weapons systems are in a “monopsony”, with one buyer (the govt) and a few vendors, and long sales cycles (decades!).

via Janetter for Mac

There is a distinction between the markets for malware and the markets for weapons like tanks, fighter aircraft and ICBMs.

via Janetter for Mac

Next up, “The Political Economy of the Cyber-security and Malware Markets” with Michael Sulmeyer ruxconbreakpoint.com/speakers/#Mich…

via Janetter for Mac

As a final touch @beist shows how to pop up false news tickers on top of live news TV programs, à la “Obama dead”. Much applause.

via Janetter for Mac

RT @bigmac: 85 slides so far in half as many minutes. That might give you an idea of the pace of this talk..px

via Janetter for Mac

Without going into more detail, the amount of complex reverse-engineering this guy has done is truly impressive.

via Janetter for Mac

The vendor’s camera API only works in an app, so it can’t run in background, so he reverse-engineered it to write his own. [!]

via Janetter for Mac

The TV has no fan or spinning hard drive, so there’s no way to tell it’s still on. [Unless you measure power consumption?]

via Janetter for Mac

Turn-on / turn-off is done by TCTv::Power(). Hook that so it turns off power LED indicator but leaves kernel and rootkit running. Done!

via Janetter for Mac

Vendor says that TV can’t take pictures when it’s turned off, so this risk is rally nothing to worry about. But…

via Janetter for Mac

RT @LincDK: More value in using smartphones as audio surveillance not video I’d imagine. [Agreed. Much less power usage too. ]

via Janetter for Mac

RT @chrisjrn: Most phones have a light meter; why not only take photos when there’s more light than you’d get in a pocket? [Good idea. ]

via Janetter for Mac

“Do not put the Smart TV in the bedroom.”

via Janetter for Mac

The Smart TV does not move, and has mains power, so these two problems are not present when it’s used as a surveillance device.

via Janetter for Mac

1. Only 1% of pics useful; 99% were inside of pockets or motion blurred. 2. All these photos kill the phone power quickly.

via Janetter for Mac

The “smartphone as surveillance” idea is problematic. He took 1 photo per minute for 24/7. Two problems…

via Janetter for Mac

“When I told this to the vendor, there was much shame.”

via Janetter for Mac

The TV has a PREVENTER daemon to detect and kill unsigned code… but you can just kill the PREVENTER daemon. Doh!

via Janetter for Mac

The explanation of how to get a shell is a bit too deep into how .so shared libraries are loaded for me to fully grok.

via Janetter for Mac

RT @semibogan: @stilgherrian @beist is fucking awesome [I have come to that conclusion, having seen how he works though this stuff.]

via Janetter for Mac

He’s found some ways to do MITM attacks on the crypto while handling app updates. Some parts don’t check the certs. Lulwut?

via Janetter for Mac

There’s around 10 daemons listening on TCP/UDP to provide various rich user experiences. “Port 55000 looks interesting.”

via Janetter for Mac

Short version of all this is that if the attacker is on your network it’d be straightforward to pwn the TV.

via Janetter for Mac

My interpretation having see these slides: The software architecture of the Smart TV from this “unnamed vendor” is total shite.

via Janetter for Mac

“The are many functions that handle string/data wrongly.” Yes, yes there are.

via Janetter for Mac

We are now looking at bugs in the assembler code of a smart TV from “an unnamed vendor”, and a way to execute anything as root.

via Janetter for Mac

Problems of SDK security policy: API-level sandbox not the best; al apps run as root “So that’s a major fail.” Yes, yes it is.

via Janetter for Mac

So your code can’t access many resources, needs to attack bugs in browser and plugins including Flash, or bugs in vendor’s SDK.

via Janetter for Mac

Some vendors don’t allow apps written in C/C++ or whatever, just JavaScript, HTML, Flash, for reason of security and portability.

via Janetter for Mac

The attacking device is Arduino with Bus Pirate, attack binaries, see what error messages come from UART.

via Janetter for Mac

Two ways to get into service modes. One with key combination. One with a factory button, but remote doesn’t have one, so replicate RF.

via Janetter for Mac

Currently some technical details of how you start breaking into the firmware. Too much to tweet meaningfully.

via Janetter for Mac

If you brick it, you have to send it in for a factory reset. He’s had to do it three times. They keep asking him how it happened…

via Janetter for Mac

The Smart TV code runs on top of Linux but is not open source, more than 200MB of code. Research can brick the TV.

via Janetter for Mac

Also a motion sensor, so you can play Angry Birds by waving your arm.

via Janetter for Mac

Smart TV is just a TV screen with a PC, camera and mic on top models, has Bluetooth and wireless. “This one has Linux on ARM.”

via Janetter for Mac

In 2013, a total of more than 80 million smart TVs were sold globally. In Korea, there’s smart TVs in restaurants, companies, schools.

via Janetter for Mac

He stresses that this presentation is about general security for smart TV. “But not for a *specific* vendor :D”

via Janetter for Mac

So this guy is on the advisory council for Korea’s Cyber Command, also technical advisor for Samsung Security Centre as of last month.

via Janetter for Mac

Next up, “Hacking, Surveilling, and Deceiving victims on Smart TV” by @beist ruxconbreakpoint.com/speakers/#Seun… Lee

via Janetter for Mac

Morning tea. I’m covering Breakpoint today and tomorrow. Program at ruxconbreakpoint.com/schedule/ We resume at 1030 AEDT.

via Janetter for Mac

On Android and iOS, you can long-press on a link and it will show you the URL it will go to. That’s new to a bunch of people.

via Janetter for Mac

@jeamland How do I know you’re not a robot?

via Janetter for Mac in reply to jeamland

Overall, this all has to be fun for everyone, not Mandatory Company Training Or You Will Be Fired.

via Janetter for Mac

@jeamland You are a bad man. Also, I did not click on that link, and will not.

via Janetter for Mac in reply to jeamland

They’re going for herd immunity, so only new employees fall for it, and then water cooler conversation happens to spread education.

via Janetter for Mac

If you set up DMARC, DKIM, and SPF on your mail server, it’s almost impossible for someone to spoof email into your own domain.

via Janetter for Mac

RT @darrenpauli: Extend your red teaming by mugging newbie employees for their laptops [Then give your lawyer’s Darren’s address.]

via Janetter for Mac

Correction to metrics mentioned earlier: Twitter measured clicks on email links, and whether they entered credentials on the fake page.

via Janetter for Mac

RT @darrenpauli: Twitter used modified sptoolkit.com for its internal phishing initiative. SPtoolkit project has closed though

via Janetter for Mac

Your metrics will tell you which demographic of your employees are most vulnerable.

via Janetter for Mac

One employee challenged him, saying that if he could successfully phish her in the next round she’d bake him cookies.

via Janetter for Mac

RT @darrenpauli: Automate your phishing with @haroonmeer’s Phish5. @riskybusiness podcast > risky.biz/RB293

via Janetter for Mac

When someone successfully ID’s a phish and one of @Viss’ and reported it, he would personally respond and congratulate them.

via Janetter for Mac

Budget for this thing? $5000 per quarter is plenty. Give positive feedback to people who learned, i.e. a decent award of some time.

via Janetter for Mac

So how to you get executive buy-in to creating this sort of program? Just phish them! “You can’t do this?” “Why not? Just do it.”

via Janetter for Mac

If you want your phish to succeed, attack their vanity. “Your account has been approved for verification” almost always works.

via Janetter for Mac

Twitter used an internal email address “phishy” for staff to report suspected phish attempts.

via Janetter for Mac

“Designing the training pages that anyone can learn from them is key.” Be lighthearted, but convey the seriousness of the issue.

via Janetter for Mac

… adjusting the trim (at Twitter they measures click-through rates over time to see which training improved behaviour).

via Janetter for Mac

… the reveal (landing pages that explain gotcha they’ve been phished, with education material, uniform repetitive motions).

via Janetter for Mac

Issues are cadence (how often?), pretexts (structure around threat landscape, and actual spam you’re receiving); performance metrics…

via Janetter for Mac

By the time they get hit with a real phishing campaign, hopefully they’ve got some muscle memory and won’t automatically click.

via Janetter for Mac

If your people keep getting hit with viagra spam, you ned to hit them with viagra spam too. Spearphish your people regularly.

via Janetter for Mac

Symptoms are hacked machines and data exfiltration. Root cause is people not paying attention. So get them to pay intention.

via Janetter for Mac

What to do? Identify symptoms. Investigate root cause. Treat the root cause.

via Janetter for Mac

So how do you vaccinate against phishing? What’s the point? People still click.

via Janetter for Mac

Antibodies. “How do you teach a person to duck a punch? You punch hem in the face until they get it.”

via Janetter for Mac

darrenpauli .@Viss talking about Twitter’s internal phishing initiative at . Here’s my write up scmagazine.com.au/News/355048,he…

via Twitter Web Client (retweeted on 9:14 AM, Oct 24th, 2013 via Janetter for Mac)

Neutrophils in the immune system do the same thing as infosec responders: flood to the site if infection and deal with it.

via Janetter for Mac

Since people do get caught by phishing, and the incident response team reacts, could it be like how the human immune system works.

via Janetter for Mac

The supposed “sophisticated phishing” that the Syrian Electronic Army used to hack the media outlets was really basic stuff.

via Janetter for Mac

First up, “Building Antibodies - The Phishing program at Twitter” by @Viss

via Janetter for Mac

Arrived at Breakpoint. Whoever I am. # bpx instagram.com/p/f00MDPiFrl/

via Instagram

Thu plan: Breakpoint conference all day ruxconbreakpoint.com, mute to avoid my tweets; conference party; pretty sure that’s all.

via Janetter for Mac

@JanJoostBouwman Um I have four internet-connected devices here…

via Janetter for Mac in reply to JanJoostBouwman

@BrigadierSlog No, actually, I retweeted someone else’s comments. I think there was an @abcnews [?] story at the time.

via Janetter for Mac in reply to BrigadierSlog

bigmac Want to know which programs are talking on the network on Mac OS-X? From terminal -> sudo lsof -Pnl +M -i

via Janetter for Mac (retweeted on 7:22 AM, Oct 24th, 2013 via Janetter for Mac)

New at Corrupted Nerds: “Breakpoint and Ruxcon coverage brought to you by…corruptednerds.com/blog/breakpoin…Npon

via Janetter for Mac

RT @damana: so you mean excent. [Or even “exceent”?]

via Janetter for Mac

Oh excellent, the “L” key on my MacBook Pro seems to have died.

via Tweetbot for iOS

thegrugq I love this KGB manual — “in America it is customary to change white shirt and socks every day”p

via Tweetbot for iOS (retweeted on 6:50 AM, Oct 24th, 2013 via Janetter for Mac)

@SpawnRich “I will not be lectured on personal responsibility by that man!”

via Tweetbot for iOS in reply to SpawnRich

Relief about the fires, yes @mattdasilva, but for other people, not myself. I have very little up there.

via Tweetbot for iOS in reply to mattdasilva

Thu plan, draft; Quick blog post; Breakpoint conference all day ruxconbreakpoint.com; conference party; pretty sure that’s all.

via Tweetbot for iOS

Hello, Thursday. Hello, a cool Melbourne morning. Let’s figure out what is going to happen.

via Tweetbot for iOS

So tired. Way past my bedtime. I am collapsing now. Four days with hackers. This will not end well. Gone.

via Tweetbot for iOS

@WP_DownUnder No problems. It’s always useful for people to see real-world photos.

via Tweetbot for iOS in reply to WP_DownUnder