I attempted to recruit some smart people to make some posts and they did so thanks to all the guest bloggers this year.
so what's been up?
well I've taken on two hobbies that don't directly tie into this blog. One, Christmas lights, like the obnoxious programmables RGB color ones. Facebook friends have been kept abreast of the situation. Two, stock trading...which i found out a fair number of hackers are into...which is cool. The stock stuff came about from reading the Rich Dad Poor Dad book and trying to figure out a way not to have to work until i die. See that post for a tiny bit more explanation.
I've been told by a few people that readers would probably find the xmas light stuff interesting as it does involve cat-5 cables and packets over Ethernet frames. So I'll start knowledge dumping in Jan on that topic.
anyway. Tech stuff....whats up?
Shitty passwords are whats up this year (totally new issue right??!!!). I didn't go back and count but a large majority of the tests I performed or assisted with this year where there was some sort of single factor login portal (SSLVPN, Citrix, OWA, etc) fell over to one of the following:
Its 2013 almost 2014 as I write this, its sad that we are still dealing with this like this a new or unsolvable problem. Just reaffirms to me that we are failing as an industry if today we can break into some organization that spends any dollars on security with Password1. Its really no mystery why bad guys are beating the piss out of people.
Earlier this year a guy that does work on things in China gave a talk and said that the Chinese culture thing about security like this: (to paraphrase):
"if an organization doesnt protect against stealing it, they must not care about it"
Protecting your important **stuff** with Password1, or a web application where any web vulnerability scanner finds SQL... yeah its no surprise when someone steals your *whatever*.
Grumpiness aside, we did do some neat shit this year. A pseudo highlight reel can be found in the string of talks that Chris Nickerson, Eric Smith, and Mubix and I gave at Derbycon this year.
Lares continues to break into hard to break into places using Red Teaming.
I also gave a talk at a credit union conference a few months ago where i tried to sum up how organizations are getting owned. TLDR; its all stuff we know about, but it takes work to fix, so not that many organizations do it.
I've been kind of a deadbeat on talking in 2013 but i have a few ideas on some talks for 2014, ideally blog posts either here or the Lares blog will help me work those ideas into posts and eventually into a slide deck(s).