Security – Security War Wizard

New house, new security system

I recently moved to a new house (August) and decided that I was going to have a security system to replace the antiquated ADT system the previous owners had installed. I started looking around & decided that there were 3 that provided what I was looking for in a system. Nest, Ring, and Simplisafe. There were a couple others I looked at but I was looking for things like a glass-break sensor, doorbell camera, or a panic button that they didn’t offer.

That lead me to look into the 3 options I mentioned previously. I’ll start with the drawbacks for all three, then the benefits for all three & why I settled on what I did and the issues I ended up having with it.

The Nest is well known and I already had the thermostat & the smoke detector so adding the other parts would have been an easy choice but their parts are almost universally more expensive than the other two. Also their subscription package was the highest cost year by year. The Ring system seemed to be a bit cheaper on price but they don’t offer the option of a key fob to let you into the house without having to run to the keypad. Neither of these two offered a glass-break sensor or a panic button. Simplisafe was the cheaper cost for hardware but it currently doesn’t have an outdoor camera (they are working on it) and their subscription is nearly as expensive as Nest. They were higher on price for the extra siren if you wanted to go with that but Nest doesn’t offer one. Nest does also charge each year if you want cellular back-up and it’s motion sensor is in the door sensor which could be a benefit for some, but read about my issue below & it’ll explain why it wasn’t great for me.

Each did have a number of benefits if I was to choose them. All 3 offered a doorbell and indoor cam, monitoring, and door/window sensors. Simplisafe’s price on most items was the biggest benefit and covered the most check boxes I was looking for in the hardware area. Ring was the cheapest overall for the monitoring & what parts I could get total and it allowed a battery powered camera which means no drilling into brick to put the camera up. Nest would have integrated with the items I already had and also had the outdoor camera I want.

I ended up going with the Simplisafe system based on a few friends who have it & say they have no issues and it was easy set up and that it was hassle free. I haven’t had a perfect install or hassle-free yet and I still want to be able to have the outdoor camera so I hope they release that soon. My issues are not only with the installation but also with the fact that their marketing department took an idea and ran with it without fact checking anything.

The sensors are very easy to set up using a “command-strip” style double-sided tape but the sticky part does not stick very well, even after you clean & dry the surface you want to stick them to beforehand. I replaced a number of them with 3M Command strips.
The motion sensors are supposed to be “pet friendly” and are even identified on the site with the text of “We precision-engineered our motion sensors to detect the unique heat signature of humans. Not pets.” This is not true & apparent marketing B.S. After a few emails to them asking why my motion sensor was tripped by my two less-than-35-pound puggles (resulting in a call from the monitoring company less than 5 mins from when I left home), it turns out they recommend that if you have pets larger than 30 lbs, or that they may get close to the sensor (it’s heat-based IR), that you put the sensor up upside down at around 4′ off the ground. This way it will catch someone walking through but not the dogs. I decided to put both motion sensors in the basement & order some new window sensors for the areas that the dog would be.
The doorbell installation was pretty easy but as soon as I connected the doorbell to my system, the mechanical chime started ringing constantly and causing the dogs to go crazy. Another call from tech support and they shipped out a “chime connector” which appears to be some sort of resistor that you put inline to the power going to your chime. This stopped the constant ringing and allowed me to finish the set up for this item.
The WiFi for both of the cameras is a little flaky and can result in a “not found” message for them when they try to record or you try to view them live. I will be contacting the support team about this in the future.
The indoor camera is set to record any time the system is armed or disarmed so that’s a little odd. I am unable to find a setting that would allow me to turn it off anywhere in the app or the site.
I am unable to find anywhere to set a profile other than Off/Home/Away. I would like the option of adding a profile where I could be home, open the doors upstairs, etc. but if someone were to come in the basement, the motion detectors would trip.

All in all I’m satisfied with my purchase and so far with the settings. I have set it and used it for a couple weeks and it doesn’t make me feel like I live in a prison but it does allow for a small bit of comfort against break-ins even if I do live in a lower crime area.

What are your thoughts? Did you have other things I should have considered?

Too much work, not enough play/learning

I’ve taken over a lot of responsibility at work over the last 6 or so months and it’s caused me to lose a lot of time for learning new things. I’m still learning things related to work, about our tool set and such, but nothing “fun” per se. I went to DEF CON and Bsides LV a few weeks ago and saw a bunch of cool things but lately I haven’t had time to put towards anything quirky or fun. Have others felt this way at some point in their career?

Vegas interrupted

I made a trip to Las Vegas last week for “Hacker Summer Camp” to see people, present on a panel, and learn what I could from others presenting. There were the 3 usual conferences out there this year with Bsides Las Vegas & BlackHat starting off the week & DEF CON running through the weekend. I was only attending Bsides & DEF CON but issues arose and I was only able to attend Bsides.

At Bsides I was scheduled to present on a panel in the Underground track with my friends @jack_daniel, @mckeay, and @joshcorman and two new people I hadn’t met yet @p0lr_ and @thesuggmeister about stress and burnout. We chose to present in the underground track which doesn’t allow recording or digital devices because we wanted to have a candid discussion where no one was afraid to speak their mind about their job, personal life, etc. The talk went well and there were a lot of people who I feel connected with the topic. One person mentioned that they feel that it should have been recorded so people could take advantage of our experiences and we explained the reason for the decision. All in all I think it was a great talk but we definitely could have used more time than the hour.

I was able to get checked into DEF CON, get my ridiculously huge badge (a 45 RPM vinyl record) and visit the venue but being it was Thursday and there were only two tracks open, trying to get into one was really difficult with the amount of people there. I was able to connect with a few friends and coworkers during the day and catch a bit of the “Mission SE Impossible” at the SE village. All in all the larger venue should be a great thing but walking through the smokey casino at Bally’s from the Paris for a non-smoker is going to be a bit of a pain in the future. I wasn’t able to stay after Thursday though because around 5:30am Vegas time Friday morning I got a text that my sister was back in the ICU because of her cancer. I quickly changed my flight & hopped a cab to the airport. Leaving early wasn’t my plan but being by my sister’s side was definitely the right choice. I heard from some friends that they had a great time and my good friend & coworker @J_Fox was the winner of the SECTF and a DEF CON Black Badge!

Not sure if I’ll be making the trip next year but it allows me to see so many friends and network with so many people, so it’s always a possibility. I didn’t get to see nearly enough of the people I had on my list this year so we’ll see if I can catch them somewhere else during the year. Next up on the list is Source Conference Dublin! Anyone making that trip?

Chicago Conferences 2015

So another Chicago security conference season is in the books including @Thotcon & @BsidesChicago. This is the second year that I’ve attended from afar since I moved to the Detroit Metro area. This has presented it’s own challenges from places to stay, getting to the venues and trying to see all my friends from that area.

The weekend started with dinner with my friend @4n6woman on Wednesday night and rooming with another friend and their coworker. Thursday morning brought us Thotcon 0x6 and my 5th trip to this conference. Thotcon 0x2 was my first security conference so I have a soft spot in my heart for this one. The email from the organizers promised some updates and a number of new things in store for this year. I had a VIP badge so I was excited to see how they have changed things. The venue was the same one that they had for the last few years but a new configuration gave them a little more room, more areas, & less bleed-over from the hallway-con that has been an issue in the past. It is still in the middle of BFE from those of us that don’t live on the CTA lines though. While the conference itself seemed better from a layout perspective, this part still irks me. I’ve spoken with the conference organizers about this and the big issue I’ve been told is cost & the ability to get a good venue near the city for less money brought them back.

I spent a lot of day one on talking to friends and catching up but I did see the talk by a very smart lady I know @wbm312 who did yet another great talk this year called “Hacking the CFAA”. Great content and I wish I had a few hours to sit and talk to her about all the legal ramifications around the security work that we do on a daily basis. Day two brought a number of talks that I wanted to catch by friends and a few I didn’t know. One of the #BurbSec IRC crew (admford) did a talk on “How to Influence Elections on a Budget”, my friend @jack_daniel let us know “What we know & what we need to know”, another friend @claudijd spoke about sketchy “Trojaned Gems” in Ruby, and the #AwkwardHug master @jaysonstreet talked about “BREAKING in BAD!” where he is the one who doesn’t knock. I had to head back to NW Indiana that night so I didn’t get to see the after party but I had a few drinks with some friends on that side of the state line so it was all good.

Moving on to Bsides Chicago on Saturday brought a new venue, new speakers, and a new list of talks to learn from. The venue was different this year and outside of the ultra-loud A/C it was a pretty good set up. If you were paying attention the A/C the venue speakers could overcome the A/C for the talks. The keynote from @gdead was the first time I’ve heard him speak. Great talk & a lot of good points made including “I don’t care if you disagree, but let’s have a constructive conversation about it”. Later @harmj0y and @sixdub talked about abusing trust relationships in Active Directory, and the main reason for my attendance, @runasand talked about the Tor tools and their uses. These were the talks that stuck out to me & I feel gave some really great information on what is going on and thoughts about what to do about it when you go back to work Monday morning.

Overall the weekend was great. I had some new beers from a brewery across from the Thotcon venue, I was able to see a bunch of people I haven’t seen in a while, connect with some new friends, and just relax a bit from the stress of our daily lives as security professionals. What did you feel was the greatest thing about the weekend? Leave a comment or hit me up on twitter.

-Scott

Recap of CSA Norway, BruCON, & Dublin

Well it’s been a bit since I returned from Europe but I had a great time. Kai Roer set me up with a speaking engagement at the Cloud Security Alliance Norway chapter in Oslo. The topic was Vulnerability Management in the cloud. They were engaging and asked really great questions. We were able to stream it online so my team members who couldn’t make the trip could see it as well. The talk covered the decisions that need to be made about if scanning needs to take place, how often, what are the costs, and who’s responsible for resolving the vulnerabilities. The other reason for venturing to Norway was to meet Kai and see some of Norway. He was a gracious host and the country is beautiful. I need to put that on my list of places to go back to in the future for a longer trip!

BruCON was next on the itinerary and Ghent was beautiful. The conference was held at Ghent University and they had a great lineup of speakers like Jennifer Minella, Jim Fear, and Adam Schoeman giving talks on multiple technical levels. I was finally able to meet Jacob Kuehndorf when I roomed with him in Ghent. He’s a really great guy and was really helpful as I battled a head cold during my trip. I also was finally able to say hi to Marisa Fagan who also made the trip to Belgium all the way from San Fran. I caught up with a few people I know on that side of the pond like Trey Darley, Wim Remes, and Xavier Mertins and some from my side like Chris & Leigh Lytle, and Katie Moussouris. I do have to admit that Wim Remes was right though. He did find a Belgian beer that I liked when I got over there (even if it was through the proxy of Chris Lytle) so kudos to him on that one!

After BruCON was over, I headed to Dublin for a couple days to see what other gems I could find in my favorite country. Still battling the head cold I didn’t think that the “peat fire” in one tourist spot was a good idea though so I got my new tattoo & tried to meet up for a pint with a few friends. I wasn’t able to catch anyone near Dublin at the time but I reconnected with a couple people I knew at the hotel I stay at so it was still a good time. After that it was time to head back to Detroit and to the real world.

I attached a photo of the new tattoo below. Rachael is a great artist and I’ll be back there in May for Source Conference Dublin to get some script work done around it.

Credit vs Debit cards

This post is probably going to be mostly questions as I know little about the payment card industry, but here goes.

I was going through the drive-thru at a fast food establishment the other day and I was thinking about what card to give them. I have read the stories about how credit cards are “safer” than debit cards because any lost money through fraudulent use is the credit card company’s issue. You don’t really have to do much of anything other than report it, they reverse the charges and they worry about tracking down what happened.

Debit cards on the other hand, you do have a dog in the fight. From the same stories it says that you are sometimes liable for up to $500 if you don’t report it in the first two days. Well if you’re not paranoid and checking your bank online every day it’s easy to go over that line. Plus if you lost the money in the account, you may bounce things while waiting for it to be returned.

This brings me to the question about chip & pin. So let’s say the geniuses in DC decide they are going to force chip & pin because it will limit fraud, save time, etc. Great idea right? What will the consumers say? We’ve all heard the stories about people being upset that they have to remember passwords for however many different accounts. Now add a different pin to every credit card they own. At what point will they say “enough is enough” and ditch them?

They already have to use a pin to get money out of the ATM though so what about putting a chip in those cards & starting chip & pin that way? Would that even be an option? I would assume that the start-up cost to upgrade all the ATMs along with all the swipe pay terminals would be huge. The question would be: Would consumers be willing to upgrade to a chip & pin system if it meant they were no longer liable for the money fraudulently taken from their debit account?

No idea, just throwing it out there. Though my guess is no, they’ll just complain.

Sweet Home Chicago

Well another year, another Chicago conference weekend in the books. Last weekend was the THOTCon/BsidesChicago tandem which started my conference circuit with THOTCon 0x2. Since then I’ve hit a number of conferences across the Midwest and even Ireland, but I went back to my home town to see old friends & make new ones.

You could tell that both conferences did their best to not only provide relevant content, but also create an atmosphere where people wanted to be and wanted to learn. The struggle with this is that without doing the traditional “conference setup” of rooms with chairs and permanent audio equipment you run into bleed over from “hallway con” or other areas. Both conferences struggle with this because of venue choices in Chicago. You are restricted based on your budget & locations that can hold hundreds of people, as well as public transit and a venue that can serve alcohol. That said, I think both did their best to reduce the noise so those who wanted to hear the talks could do so.

So regarding the presentations, I have to say it was difficult to do a “best of” on each. I was able to catch a number of them at both conferences and many had really relevant or interesting topics. I sat in on my friend @claudijd and his fiancée @L_ORA about a privilege escalation vulnerability in Cisco firewalls, as well as a talk by Joe Cicero on P.I.S.S.E.D. (Privacey In a Surveillance State, Evading Detection). Both were very detailed and gave a great overview on their topic. I had to give “best talk” to two different presentations for this one though. I couldn’t make up my mind on who presented better nor on what topic was better between them.

@wbm312 gave a great talk about the legal issues on taking devices across the border, including the fact that the US Government considers anything within 100 miles of a border, International Airport, or main body of water (Great Lakes, etc.) as the “constitution free zone“. This hit close to home as I just came back from visiting my girlfriend in Vancouver, BC.

@hacks4pancakes also did an outstanding job on her talk with the “Ten Commandments of Incident Response (For Hackers)”. It briefly touched on “burn out” which I believe is an issue in Information Security, but also gave lessons learned from her personal experiences. One main takeaway for me was the fact that technical skills are great, but let your technician work on the problem rather than sit in meetings asking when it will be finished.

Moving on to Saturday was BsidesChicago. A number of talks were given by coworkers or friends at this one. I had to leave a bit early as I was fading fast (whole introvert thing getting in the way), but I have to say I enjoyed @securitymoey’s talk on “InfoSec Big Joke – 3rd Party Assessments“. He brought up some pretty good points including vetting the answers that your service provider returns. If you aren’t doing it, no one is.

Overall I had a good time and got to hang out with some great friends that I don’t get to see often now that I’ve moved to “the mitten” of Michigan. Looking forward to seeing them all again soon & in the interim back to learning!

How to focus on learning

So it seems that since my move life has been a bit of a blur. I’ve had to figure out where things are in the area, what vet to go to, get my license & plates changed over, and not the least of all, make sure all the bills get paid on time from the old house or the new apartment. While stressful, none of this is work related. I’ve been struggling to get time to sit down and learn new things like python scripting to plug into the API for the tool we use, or even get better with Linux to broaden my technical skills.

I even have an idea kicking around in my head for a talk the about the information security field and our constant thirst for knowledge but I haven’t had time to sit down and flesh it out. While some of you may be saying “yep, that’s life”, I wonder about those who struggle with time management and how they can continue to learn. When you have a long commute, or take care of a loved one (child or senior) in your off time, how do you manage to stay on top of things and remain relevant? Do you mainline espresso and forego sleep? Read articles when you’re on the train? Give up hobbies you loved in the past to keep up in the industry?

If you could leave a note and let me know what tips or tricks you can impart I’ll make them part of the talk I’m putting together regarding Infosec knowledge sharing.

Greetings from Michigan

Sorry for the long delay between posts. Life has been a little up in the air lately. I am now living near Detroit, Michigan working for VioPoint as a Senior Security Consultant. I had always said I didn’t want to be a consultant because of the travel required but this job seems to fit the requirements of “less travel”. I haven’t had to travel at all yet thankfully so we shall see if that continues.

The team I’m working with is awesome and many of you know them. @ZombieTango, @Dthom, @B31tf4c3, and @JimmyVo are all here and we’re headed up by @jwgoerlich. I’m slowly getting myself settled in my new apartment, house was sold in short order and the only problems I’ve had are with crapcast, so all-in-all it’s been a decent transition. I will be posting periodic work-related blogs on the VioPoint blog at http://www.viopoint.com/blog/. You can catch my first one there regarding auditing automation, and look for new ones coming later. As for this personal blog I just got it back up and running so I will assume that I will be posting more in the coming weeks/months. Keep checking here or Twitter to see if I can keep that up.

Until then I’ll be taking in the fall colors in Michigan and trying to learn as much as I can about the consulting gig.

THOTCon & Bsides Chicago

Well I’ve had a few days to recover from the awesomeness that is the Chicago Con Weekend. This year I was able to ride/stay with a friend from GrrCon who was attending with some coworkers, meaning the base for operations was in the city. This proved to be good for location but only average for room quality.

Friday morning we headed to THOTCon for networking, beer, food, talks, and just all-around awesomeness. Although I didn’t see all the talks I wanted, or the people I wanted to meet, I was able to catch the keynote, Ben Ten’s “Creating A Powerful User Defense Against Attackers”, James Arlen’s “The Message and The Messenger”, Cyberwar” with Josh Corman & Jericho, PhreakingGeek’s “Y U No Sanitize bro?” and David Schwartzberg’s “Fun with Exploit Kits for Tech Support”. You can find the information (but no recordings) at www.thotcon.org

Most of the talks I was able to see were good (the ones that weren’t don’t read my blog anyway). The information presented was relevant, and the speakers held their own on stage. James’ talk about presenting will help when I speak at GrrCon later this year, but I think the Cyberwar talk was by far my favorite. So much information was condensed into an hour talk it was hard to take it all in. What I did like was the discussion about the audience being a “cyber militia”. You do have to wonder if we all had to “fight” online, how many casualties would there be?

Saturday morning had us on the way to Bsides Chicago. This was set to be my first CTF experience and I wasn’t sure what to expect. I brought pretty much every piece of electronics I own with me and the weight of it tore my backpack. Learning how a CTF works and banging my head against the wall for most of the day was ironic when Nicolle Neulist’s talk about how to start with a CTF was at the end of the day 🙂

The CTF itself was not only brain-draining but a lot of fun! The challenges were set out in groups based on easy/hard/etc. When you get so close to solving one without knowing exactly what they are looking for, it can be frustrating, but seeing the points go up on the board makes it worth it. I was able to capture 8 flags total in what I feel was a respectable showing for a first-timer!

The THOTCon after-party was in downtown and had good food and drinks as well as DualCore on the mic for a short period. More people were met, more hands shaken, and more networking all the people!

All-in-all it was a great weekend and I’m glad I was able to see/make friends and most importantly learn a lot! Looking forward to Source Conference Dublin in a few weeks so I will see some of you again soon!