Jake Williams Profile picture
Breaker of software | GSE #150 | CTI/DFIR | @ians_security faculty | Bookings: jake at malwarejake dot com | He/him
Sep 20, 2018 7 tweets 2 min read
This has huge privacy implications, but as a data nerd, I'm excited to see it. As a hacker, I'm also excited. First, the hacker side: this will immediately create a market for device hacking (and forensics, $$$$) on an unprecedented scale. 1/n
reuters.com/article/us-man… If you can save $250/year on your policy by appearing to be active, but really are providing bunk data through a $50 app? Yeah, people will do that. Then when they die weighing in at 350 pounds but claiming to have run a marathon a week the last year? Forensics $$$. 2/n
Sep 15, 2018 9 tweets 3 min read
This is drawing a lot of ire from the infosec crowd because there's no obvious causality. We SHOULD be careful not to assign causality where there is none. But this data IS valuable and we shouldn't dismiss it because it lacks a causal link. 1/n
comparitech.com/blog/informati… The study authors note that the biggest problem with this sort of study is the sample size is small. There simply are not that many publicly traded companies that have suffered significant breaches available to study. There are also many factors, making causality difficult. 2/n
Sep 8, 2018 8 tweets 2 min read
I've had a number of people note that the Nuremberg Trials counter my argument that Park following lawful orders is a consideration in evaluating his actions. Let's talk about this, because I think it's wrong (for multiple reasons). 1/n First, to use Nuremberg as a reference point, we are equivocating hacking Sony with the Holocaust. I'm not ready to go there. Some people are saying "but if he hacked the power grid, that would be equivalent." Irrelevant, since that's not what happened here. 2/n
Sep 6, 2018 8 tweets 2 min read
Charging individual North Korean government hackers as individuals is a human rights issue. Assuming the intrusions have been correctly attributed to Park (not a given), unlike me, he likely had zero choice in his actions. This is not okay. 1/n
documentcloud.org/documents/4834… People living in North Korea don't get a choice when the government comes calling. There are countless stories of atrocities where whole families are imprisoned (or worse) for defying the orders of the government. We know what would have happened if Park refused to hack Sony. 2/n
Sep 1, 2018 7 tweets 2 min read
Last year, my kid interviewed me about my job for a school project. One of the questions was "what's the most important trait for someone thinking of going into your field?" I said "natural curiosity." On reflection, I think I was wrong. 1/n If she asked me again, I'd tell her curiosity is important. But much more important than that is "A commitment to lifelong learning, even when the subject bores the heck out of you." I've heard many talk of the need for constant learning (I do regularly myself). 2/n
Aug 31, 2018 11 tweets 3 min read
Just had some fun at the office. An esx server had an issue earlier today and crashed. Admin brought everything back up and powered on all the VMs. Everything looked good. I went to use a VM and can't get to it. Can't ping it. Nmap to it and something's there. 1/n Problem is that it's not the right something. I ask our admin and he checks the VM from the ESX server console. He says "it shows a duplicate IP." This is a problem because it's a static assignment - so what has my IP?! 2/n
Aug 29, 2018 6 tweets 2 min read
For those claiming MFA doesn't impact organizational productivity, stop looking at it from your view. Look at it from the organization's view. People lose MFA tokens and can't log in. People have to change MFA devices (new phone, new token, etc). Helpdesk handles "issues." 1/n Only infosec would claim that this has no impact. Doctors don't give diabetics news that they'll have to test blood sugar followed by "it's just a prick after every meal, so it won't have any impact." When we make claims that are OBVIOUSLY false, this lowers our credibility. 2/n
Aug 28, 2018 5 tweets 2 min read
It's easy to make a government joke, but this is really the result of lobbying Congress. So many gun violence statistics can't be tracked electronically by the people who need them for decision support because that's outlawed in various spending bills. 1/n And before I go further, I'll state that I'm a gun owner and support intelligent gun rights. But when the CDC isn't legally allowed to track gun violence deaths in the same way they track literally all other death, that's dumb and we have a problem. 2/n
Aug 27, 2018 4 tweets 1 min read
The words "quick" and "forensics" should not appear next to each other ever. If "quick" is the most important functional requirement, then forensics is off the table. Reputable firms don't take standalone engagements for "5 hours of forensic analysis." 1/n The reason is that we know we can't get usable results to you in 5 hours. Remember, we have to write a contract, access the media, image the media, process the media, analyze the evidence, write a report, and brief the report. All of this takes time. 2/n
Aug 19, 2018 5 tweets 1 min read
You know what makes you an "infsosec rock star"? First, lets start with what doesn't:
1. Getting sloppy drunk at conference parties
2. Soldering the coolest badge (even though there are some really cool badges)
3. Getting caught up in infosec drama
1/n
I could continue the negative list for a LONG time, but I'll stop there. What makes you a "rock star"? (ugh, I'm nauseas just using that term)
1. Mentoring - teach what you know to others
2. Listening to others - none of is as smart as all of us
2/n
Aug 12, 2018 7 tweets 2 min read
My favorite "n00b litmus test" is to scan a post for the word "just" - VERY few things in infosec can be boiled down to a "just" and these posts almost always lack substance. Posts that say "obviously" and "it's not hard" are similarly likely to contain little value. 1/n Infosec is amazingly complex. If the problems were easy to solve, we'd have "just" enabled the evil bit in all TCP communications. Seriously, does anyone think we're sitting on a solution to all the breaches? If so, why?! 2/n
Jul 28, 2018 9 tweets 2 min read
Another quick rant, this one about people who think the US intelligence community is hiding evidence of Russia stealing the election. Before tonight, I didn't know this was a semi-mainstream theory. Let's ask first "what's their motivation?" 1/n Every gov employee in the intelligence community has sworn an oath to the constitution. Sure, maybe some of them don't care about that oath or have lost sight of it. We have examples of this. But certainly this can't be all of them. 2/n
Jul 27, 2018 9 tweets 2 min read
Real talk: there's zero evidence Russia modified votes or registration info. There IS evidence they positioned themselves to do so. One does not naturally follow from the other. Even the US IC doesn't assess this occurred. Winner would have leaked that if so. 1/n Instead Winner leaked something that was hardly news. It did tell us that VR Systems was hacked and used for further phishing and/or watering hole attacks. But it was hardly a bombshell. Even an assessment that hacking *might* have altered votes would have been more shocking. 2/n
Jul 16, 2018 15 tweets 3 min read
I've been doing incident response for years. Let's talk about the "missing server" using, I don't know, how about facts? I've never worked an intrusion where we've had all the evidence we wanted. There's always logs missing, aged off, or deleted by the attacker. 1/n In every case, we are forced to look at the data we have and then make judgments even with the missing data. We don't call the missing data a conspiracy - we call it business as usual. 2/n
Jul 16, 2018 6 tweets 2 min read
Teaching @sansforensics Threat Intelligence at #SANSFire this week. At first break, I had a chance to talk to students. The number of orgs with threat intelligence "programs" where program requirements are a complete unknown is always astounding to me. 1/n If you don't know your #CTI requirements, you can't possibly build a good program. You may think you know the "requirements" but at the end of the day, those are determined by stakeholders (e.g. the "customer" aka whoever is in charge of funding the program). 2/n
Jul 4, 2018 11 tweets 3 min read
[Thread] Want to get that next great job in infosec? Recruiters and hiring managers are increasingly using Google to discover, vet, AND weed out candidates. So I have some advice here:
1. Build a body of work that they can easily find. 1/n This body of work shouldn't be shoddy quality, but the existence of work is more important than the type and/or quality. In other words, even if I'm hiring for an exploit developer, I'd rather find a blog about compliance than nothing. Don't let perfect prevent "good enough" 2/n
Jun 15, 2018 6 tweets 1 min read
If you're looking for infosec employment today, I have a tip for weeding out potential employers. It's 2018 and the US is changing. If the potential employer requires drug testing (marijuana specifically), the culture is probably not infosec friendly. 1/n BTW, I know some of you are going to unfollow me before I finish this thread, and I'm okay with that. 2/n
Mar 22, 2018 11 tweets 2 min read
Men (particularly in infosec, but elsewhere too), time for some real talk. If we want to solve the gender gap, we have to change how we act on and off work hours, especially at infosec events. I was talking to a woman last night who relayed something that happened recently. 1/n She is very accomplished in the field and I suspect many of you know her by name. She was at a nearby bar at a recent event and saw a number of men she recognized as wearing conference badges. When she approached to network and be social she overheard the conversation. 2/n
Feb 27, 2018 10 tweets 2 min read
/rant - recruiting more people won't fix cyber command. Even if you find thousands of people with all the skills (unlikely), they still need to be trained on CYBERCOM tools, tradecraft, and policies. This is a huge time suck for each new employee. 1/n Instead of just talking about recruiting, let's talk about something more important: retention. There are a number of reasons people leave any job and the retention rates at CYBERCOM aren't public AFAIK. But let's talk about some things that might lead someone to leave 2/n
Jan 30, 2018 5 tweets 1 min read
If you're researching the true cost of a data breach, let me help you out and tell you that nobody knows. There's no standard for reporting what is and isn't included in the cost. IT overtime to rebuild systems? Sure that makes sense. But many costs aren't black and white 1/n GRC time to write new control policies?
Replacing your outdated VPN concentrator?
Finally migrating off of Win 2k3?
Installing AV organization wide?
Pentesting to find other exposures?
Threat hunting to find other actors in the network?
All of these have been included 2/n
Dec 24, 2017 14 tweets 3 min read
Twas the night before Christmas and all through the house
Not a creature was stirring, not even a mouse (jiggler, to prevent the screen from locking)
The dongles were hung by the chimney with care
In hopes that no APT zero-days would be there
1/n
The children were browsing using incognito mode
While visions of insecure IoT toys danced in their heads;
And mamma with her BYOD laptop, and I with my tablet,
Had just settled down and hibernated our devices,
2/n