How I learned about file encryption

So a week or more ago I mentioned on Twitter that I would tell the horrible encryption failure I had when I first found out about how to encrypt data. When I first moved into Information security years ago, I learned about how you could encrypt data and no one would be able to view it without the key.

So I was running Windows XP at the time and I decided to play with the Windows EFS on my home machine. I encrypted my local “personal data” folder, and moved it off to secondary storage. ¬†I was able to view it, open it, move it back and forth, etc. The time came to reload my machine. I was careful to move and verify all my data on the secondary storage, verified I could access it, open it, etc.

I proceeded to DBAN the local drive, reload the OS, install the applications, and when the time came to move the data over, I couldn’t open it. I thought “Hmm…that’s odd…” I proceeded to try to re-copy the data over to the local drive, and check a few of the attributes of the file before realizing that I had encrypted the files before moving them. I moved them to a NTFS drive, which meant it kept the encryption intact when I copied them to the external drive. I did my best google-fu to try to find any way to get this data back. The “personal data” contained family photos, my resume, web favorites, etc., so I was definitely not happy about losing it.

I even went so far as to ask a coworker to call in a favor to a friend at Microsoft. The reply was there was no backdoor/master key to get the data back again. I was learning a hard lesson in encryption really fast. Although I knew the passcode for the key, I was unable to retrieve the data. The good thing that it did was make me want to learn more about file encryption and what can/can’t be done with it.

I learned about file versus whole disk encryption, as well as where keys are stored. I also learned to be sure that no matter what, you move the keys if you’re going to wipe a drive! If I can offer anything to anyone about file encryption it would be to completely understand how it works before you play with live data when you have no other copy.

Also…if anyone breaks 256-AES EFS I’d like to chat with you ūüôā

Information Addict

Part of the Information Security profession is staying abreast of the news and events in the technology world. You need to know what attacks are going on in order to know how to defend against them. When you start out in this industry you feel like you’re always behind, always trying to catch up. You read everything you can get your hands on, hoping that you don’t miss something important. The problem with this is that it consumes all your free time. After a while, you begin to see what you can pass over or just skim. New virus comes out? Great, there’s a update against it right? I can skip the part about how it was discovered on one machine on the other side of the world.

What you start to realize though, is you become addicted to information overload. You follow hundreds of people on twitter, dozens of blogs, you peruse the tech sites, and if there is a lull in the timeline for even five minutes, you start to wonder if you lost your Internet connection. You skim your twitter stream looking for articles to read, glossing over someone asking a question or looking for help. You start to read a longer article with an actual build-up and you get frustrated because they aren’t getting to the point fast enough. What you don’t realize is that “the point” sometimes is the build-up. Journalists get paid to tell a story, so that’s what they’re going to do.

Even those that you look up to in the industry, the ones that you think “wow…they really have it together, how do they keep up?” are skimming too. The ones that follow over a thousand people? Attending DefCon, I found out they see it as drinking from a fire hose as well. They miss things. The humble ones admit it and are willing to talk about it. They try to keep in touch with the people in our industry that matter. They try to stay plugged in as best they¬†can.¬†They are going to miss things, just like we all miss things. What matters is that they are trying, just¬†like you¬†are. When you think you know it all is when you have the most to learn. Keep reading, you never know what you may miss.

Vegas, the week after…

So I’ve returned from Blackhat & Defcon 2012, and I’ve had a week to let it all sink in. I met more people than I can recall, and most of the people on my “must meet” list. I came away with some good and some bad things from the trip, including the city, sites, and people I interacted with.

The trip started off pretty tame, made it to Vegas, deplaned, and noticed that there were slot machines in the airport. Not unexpected, but what was unexpected was the long lines I was to encounter for most of my trip. After I left the baggage claim, there were lines for cabs, lines to check in the hotel, lines for lines. It was crazy. Being someone that doesn’t do well in crushing amounts of people, I was a little unnerved. I headed to Blackhat and my first time in Vegas, first time at a major conference, after the keynote speech ended, there was a mass of people trying to get to their next talk/meeting/vendor discussion. It took me a few days (read: until Defcon) to realize that unless you *really* have to see some talk, if you don’t make it, you don’t. Hallway con is definitely worth it as an alternate. You get to meet quite a few interesting people, and make some connections that continue via social media after the conference. Defcon was definitely a better time for me. I felt more relaxed, I didn’t feel like I was going to wander into the wrong area, and could just soak in the¬†atmosphere.

Another thing that shocked this kid from the South-side of Chicago is the prices for everything. My company put me in the Bellagio for the week, and the food and drinks they had were through the roof! I’m used to hitting the local McD’s if I need breakfast. I went to the local Cafe there, and I could have eaten fast-food breakfast for a week on the cost of one meal. I finally did find some lesser expensive things to eat, but it was a shock to the system.

The big thing that I would tell to someone going to Blackhat, Defcon, or BsidesLV for the first time though, is meet people. I finally got to meet some of the big names in our infosec community and they are an amazing group of people. They were extremely helpful, and even just sitting and talking with them gives you a sense that our industry is heading in the right direction. I won’t name everyone that I was impressed by because there are too many, but the thing that I was most thankful for, was that I didn’t meet any “rockstars”. Everyone was willing to take the time and say “hi, glad you made it”, talk for a few minutes, etc. Even those people who were working at one of the conferences were friendly and approachable. I love this industry and hope to be working in it until someone kicks me out ūüôā

Is it really OK to say ‘No’?

*EDIT* The person who started the term¬†“our job is to see the iceberg, not steer the ship.” was @randomuserid on July 10th. Thanks to him for allowing me to attribute the quote to him. *EDIT*

As information security professionals we often get the stigma of being “the department of no”. We tend to rain on everyone’s parade who doesn’t take a second and think “huh…you mean validating input would be a good idea?” We’re the ones trying to make sure that the rest of the IT departments are looking at potential attack surfaces, and always being the road block can wear on your psyche. You start to feel bad saying no so often and want to say yes. You feel that if you don’t, you’ll start to lose respect and people will stop bringing ideas and projects to your group for review. So you start saying “Ok…but what if you add this” or “Have you considered this?”

This works for a while. People see you as an enabler and a business partner. You are the one that can make sure that their app/project/program is successful, as well as reduce the risk. You’re finally in a Win-Win, right? But what happens when you *have* to say no? Where are you left when there is no choice but to say “Really….No. You can’t put your application with the un-encrypted customer payment database out on the internet as world-readable. I don’t really care how much time/money you saved by doing it that way.” (I hope no one has ever had to have that conversation in real life)

We all know it’s a business decision on what risk to accept and what to mitigate or transfer. Sometimes you need to step back and say “Ok, it’s your deal but we warned you.” Other times you need to stand in front of that bus and get run over. When you have to do each is a personal decision and can include regulatory requirements, your personal feelings or even your professional reputation.

I wish I knew who tweeted it first, but someone in my stream the other day said something akin to “It’s our job to see the iceberg, not steer the ship”. I believe this is how we need to see things. Our job isn’t to run the business or set direction, our job is to tell the ones at the helm that building a boat out of tin foil¬†is a bad idea.

I think we need to change the sign on the door from “Department of No.” to “How does this affect our risk-posture?” and realize even then sometimes you need to say “Just…No.”

Is privacy worth the loss of opportunity?

As information security professionals we have to admit that our industry is a hot¬†commodity¬†right now. Everyone knows someone who is or was recently looking for a new job, or who is at least weighing their options. Living in this hyper-connected world, we know people all across the globe who work in our field. What we don’t always know is who is actually looking versus who is looking behind the scenes.

Privacy is a huge issue to most of us in the infosec community. We are always discussing it, preaching¬†it, or trying to protect it. Where this hits home though is when you’re¬†contemplating¬†making a career move. You want the industry to know that you’re considering your choices, but you don’t want “the wrong people” to know (read: your current employer). There are many reasons to review the job market. A main one would be that you want to know what you’re worth. You want to know that you’re being paid fairly for the job you’re doing. A sensible employer knows this, and shouldn’t fault you for it. If you’re doing it on company time, that’s a different story, but posting discussions on job boards and discussing with friends in the industry is just talk.

The issue of privacy comes into play when you’re using social media. If you use Twitter or Facebook, and any of your coworkers or employers follow you, they may see this as you trying to find a new job. You may be looking for a new job, or you may just be gathering market data for your next review. This is where you may strike a balance between “Do I put myself out there, or leave less to explain at work?” While this is a personal decision that many of us make, I would consider one question if you are looking to make a move: Is the privacy you covet worth losing the opportunity you may find?

You could do the networking thing. You could find out that a friend of a friend of a next-door neighbor had heard of a job…but if you post your resume, network, and let everyone know that you’re curious, I believe you’ll have more opportunity to find that information or even that great job than if you try the whisper net. True, you may get the question at work of “So…I heard about your post…”, but if you don’t, you could lose out on a bigger raise or a job where you’re excited to go to work every day. Something to think about in this hot market we call Information Security careers.

Treading water in the sea of knowledge

So I had this thought last night watching a video from SecurityTube (which is now my new video hangout place) about burp proxy. SecurityMoey mentioned it to me, I’ve talked about it in my presentation at BsidesDetroit, I’ve said it to people, but I haven’t done it myself lately…


When you’re swimming, you can only power-stroke so long before you become exhausted. You need to get out of the water, dry off, sleep, eat, de-prune yourself, etc. You get to the point that you can spend forever in the water until the only thing you can do is float or tread. The same is true for learning. I would assume this is the reason for summer break for school kids. They need time where they can “just be”. You need time where you aren’t constantly learning. You need to let your brain idle for a bit so you can go back at it with renewed vigor.

I started to realize that I wasn’t taking my own advice. I needed to take a step back, and watch a movie, play a game, or just sit and have a conversation with my family. So while I ordered a few new books, and I updated all my tools to play with, I think tonight will be a no twitter, no computer, no tech evening.

Anyone seen my towel? It’s time to dry off for a bit.

BsidesDetroit – ConBlu, first try at presenting


I just got back from the BsidesDetroit trip and my first shot at giving a talk. I was wired for this trip for about a week before I went, worried about what would happen with me giving my first talk. Also, on the drive home I think I came down with “ConBlu”. Not the “ConFlu” ¬†sickness most people talk about when they go to a conference and shake hands/hug a lot of people. This is more of a slight letdown that you get when you have to leave after having the chance to hang out with people who really “get you”. The people who are as geeked out as you are when you “pop a box” for the first time. You start to wish for next year’s conference as you’re walking to your car to leave.

On to my first try at speaking. I hadn’t tried to give a presentation since sophomore year in college. While I haven’t had the chance to watch the video and see how I did, I did get plenty of feedback on my first try. Many people felt that the topic was definitely good, and something that needs to be addressed in Information Security. For those of you who haven’t followed me lately, I collaborated on a talk with Len Isham on “Infosec Flameout”. My angle on the issue was that I was burned out in my current job, but I was working myself even harder trying to change careers.

Len and I worked on the slides and content for a couple months prior to the event, but Len wasn’t happy with how his part was going, so he spent a day or two before the event completely re-doing his slides/talk. My portion was about my career, how I got burned out, and what I have tried to do about it. Len’s was about socially engineering your career after you decided where you wanted to go.

When we first started going through the talk via Skype , I hit about 13 minutes for my section. I wanted to be closer to 20 or so, leaving time for questions at the end of the hour. Len & my wife both said I needed to slow down because I was talking too fast. The second try through it, I got just over 19 minutes. I was happy with how I was pacing myself and I liked how much detail I was giving for the time-frame.

So we start our talk, and I was definitely speaking too fast. I was very nervous and realized it too late, ending up with only about 9.5 minutes after hitting my last slide. Len realized this as well as he got up to do his talk, and he was able to stretch it out so we hit about 35-40 minutes total for both of us. The great thing about the people attending (and our industry as a whole) is that people attending were willing to share their thoughts and what they did to stave off burnout. By the time we finished the discussions, it was about 7 minutes before the hour. It actually turned out great with how everyone chimed in.
With all that said, I definitely need to slow down if I’m going to present again. I had a couple people suggest that I submit to DerbyCon with just my portion. I would definitely have to expand on everything in my talk. Hindsight is always 20/20 they say, and I think I needed to do the slides a little different for next time, as well as give quite a bit more information on what caused my burnout at different times in my career and how I worked through them. I guess I’ll mull that over in my head a bit and think on it.

The conference itself was awesome. I loved the venue, it was well laid out, there was quite a bit to do in the conference center itself, as well as having the hotel right there. The different tracks in different rooms made it easy to have hallway-con, as well as two tracks, a teaching area, and a lock-pick village. I really loved the set-up and the Detroit team did a great job with putting it together.¬†The talks were awesome! The great thing about this industry is that people are willing to share their knowledge. I didn’t get to meet everyone I wanted to, and I didn’t get to see all the talks I wanted, but I got two classes in (Metasploit & Armitage), and saw quite a few really good talks.

The only issue I had with the con personally was with the hotels (Marriott & Courtyard by Marriott where I stayed). Both were very pricey and provided nothing I wanted for it. Breakfast for both hotels was extra, as was wi-fi in the Marriott. ¬†I have some ideas to take back to my work which I’m sure my boss is going to appreciate, and maybe I can get him to pay part of the hotel. I guess I’ll see how good my social engineering skills are ūüėČ