What getting accepted to speak at a conference means to me.

 Sitting on the couch with life going on around me, glad I have nothing pressing to do and that little annoying ding happens, I reach over to grab my phone knowing someone just interrupted my night with an email that needs my attention. If you have issues with unread email you understand what I mean by this. You unlock your phone bored and expecting to be deleting some non-essential email but instead see “Your talk has been accepted for DerbyCon 3.0!” I instantly get excited (some of us are still new to this speaking thing) and my mind quickly runs rampant on what does this actually mean? A fast tweet gets sent that you got accepted because everyone knows nothing is real in life until you tweet about it . I fire off a quick call to Dennis Kuntz and let him know that our talk got accepted then I realize -  What does getting a talk accepted actually mean?

The excitement quickly wears off to panic, especially as a new speaker you really start to wonder how do we measure up to everyone else, will people come to the talk, do our ideas have merit, do I care about any of the previous questions, and many other nasty thoughts. Then your mind goes through everything we have not done for the talk, we busted out a CFP and have an outline but no slides, we have probably 10,000 lines of code left to write, tons of architecture to setup, and the demos to screw up. Will the demo gods slaughter us? I better have a video! I can no longer say “I have plenty of time on this, the talk probably won’t get accepted anyways so no rush on the code.”

So I sit down to pound out as much code as possible, and all that goes through my head is what I have not done. I start up the music and blast it in my ears even though I realize you can’t actually drown out your thoughts and doubts. So I must solider on and what that acceptance really means is it just got real, no more time to panic, get your shit together and finish your research, code, ideas and practice your talk! (It also means I don't need to keep worrying that I had not bought a ticket yet)

I look forward to participating in DerbyCon 3.0 this year and look forward to the amazing talks and community that always shows up at DerbyCon. I make the commitment that I will buckle down now and get Dennis Kuntz to write all the code! I want to thank Dave, Erin, Martin, Adrian, and Nick and the rest of the DerbyCon team for making a great conference for a great community (We still have shit we need to solve in the community but it’s still pretty awesome).

Indicators of Compromise have a place, don't ignore them.

Security Cycle

Security Cycle

Indicators of Compromise are forensically relevant fragments that are left on a computer after compromiseThey operate under the assumption that you have already been compromised. IOC's should be shared to create a community of defenders sharing intelligence about what they are seeing and to increase the defensive capabilities of every security groupThese fragments can be easily documented and shared using OpenIOC documents, and they have a role in the security cycle of prevent, identify, detect, and respond. 

"First of all, here's what's next in the incident response world: "Indicators of Compromise". And when people say that, they right now mean MD5s, file names, registry addresses, dns addresses, what addresses a trojan hooks, and that sort of thing. All of these things can be changed AT RUN TIME, by your better trojans 

In other words, we have an industry focused highly on "indicators of compromise", whereas modern high-level attackers have leapfrogged the entire concept. The only true indicator of compromise is "computer is doing something I probably didn't want it to do", and that's not something you can codify in XML" - Dave Aitel  http://seclists.org/dailydave/2013/q2/29

We have to be honest with ourselves, Indicators of Compromise are signatures, they have a place and it is not in stopping an attacker but in detecting post compromise In continuing the honesty theme we also have to realize not everyone is facing "high-level attackers" and most do a horrible job at detecting and responding to any type of attack. Most companies are faced with attackers that are not advanced, don’t perform anti-forensic activities but yet we still don't detect them in a timely manner. Indicators of Compromise can bridge the gap and maybe one attack will be found that normally would not be found.  

However, Indicators are flawed in ways and can be bypassed like any other technology in the security layer. It should not replace any specific item or process you already have as it should be added to your toolbox and used to enable your hunters, security intelligence, and incident response group to look for specific forensic artifacts that may have relevance to you. IOC's that are easily consumable and tooled properly can go a long way with helping defenders. 

An Indicator does not have to be tied to a single binary and can describe any unwanted behavior for example: we know that lsass.exe in Windows XP is spawned by winlogin.exe or by wininit.exe in Vista and higher and there is a single instance. What about svchost.exe running from a non standard path? Should we be looking for this type of indicator? Can we write a document in XML that describes this and then detect it? The answer to those questions in my mind is "Yes". 

I believe that Indicators of Compromise and OpenIOC  can be used extensively to increase the defense capabilities, increase the cost of the attacker, define behavior that we want to look at, and create a community of defenders working on the same problems together instead of in the current silos.  

 

How I got Socially Engineered - BAD OPSEC

In all the research I have been doing around my move I am amazed at the OPSEC that bad guys don’t have. The lack of being able to separate work from play, keep different scams away from each other, and using home addresses and personal cell phone numbers. They really should take the time to learn these skills.  

This is part 4 of a three part saga:

  1. Background

  2. The Attack

  3. Containment

Recently, I began looking into West Coast Movers and Deans Logistics because of my horrible experience with them. There are a lot of complaints on Rip Off Report and you can read them for yourself here, here, here or google for more, all of these complaints are conveniently marked as “Disgruntled Employee”. If you are curious you can find my Resume which will show I am not an ex-employee. I will also be posting my bill of lading soon to this blog which will show the move.

When I read some of these complaints I found names that I was not familiar with like Uzi Malka, Oz Malka, and Ezra Malka. I had already seen Aviv Mordechai so I was not that interested in that name as Aviv is the owner of West Coast Movers according to the Nevada Secretary of State. So I figured I would dig into these names and see if they are actually connected to West Coast Movers, what I found was interesting enough.

I say the first part that surprised me was that I had already linked to all of Doron Vaknin’s youtube videos but missed the information inside them. Doron is the owner of Deans Logistics in Florida,  He has a karaoke video that has Uzi Malka singing. He is not a great singer and most of his pictures on Facebook are very sleezy. Hey Uzi, lock down your privacy settings on Facebook bro, here is how you can do it. But this does not link Uzi to West Coast Movers it just shows that he knows the guy who owns Deans Logistics and was in Florida once. I also looked around and apparently Doron owns a few moving companies as well, Dean’s Logistics, D & E Relocation Group Inc, and Massada Moving & Storage, Inc.

I was curious to know if Uzi ever was in the moving business so I started looking around. I found that Uzi is related as an officer or owner in US1 Movers, LLC, The registered agent of these companies was Danna Malka (There is also a Donna Malka associated with Uzi Malka) and that was interesting just because of a partial name match, so I looked into it and found several other companies including New Destination Moving, Inc. So clearly they had some experience with moving companies but these are both Nevada companies and don’t show Florida as any type of residence or office. So I started looking to see if Uzi was a resident of Florida at any time and found that yes, he was and was married or living with Nirit Assulin. They owned a house together in 2005.  Well Nirit Assulin owned a company called New Way Movers which is still in operation by Nirit Assulin and I am not sure they are still together. Ezra Malka owned Victory Relocations Inc as well, there are more companies than I can shake a stick at.

In looking around I also found that Uzi seemed to have another company in New York that was a moving company called U.M. Moving, Inc. So It appears that Mr Malka gets around and has a lot of moving experience. When I look around at these moving companies I find more bad reviews.  Uzi also owned A One Media Inc in Florida, but not sure what it was used for.

So we now know that Uzi has moving company experience and has been in Florida and is friends with Deans Logistics. What we don’t know is if he is associated with West Coast Movers yet. We can also see from whois information, state filings and such that Uzi’s name is Oz Malka and sometimes goes by Oz Ezra Malka or Uzi Malka. I can tie the names together by pictures. Here is Oz Malka (A One Carpet Cleaning) on Facebook and here is Oz Uzi Malka  Hey Uzi, did you sell that Envoy yet?

Google Street View.

What else is Mr Malka into? Well, we can tell from his address of 10358 Catclaw CT. Las Vegas, NV, 89135 that he is actually related to A One Carpet Cleaning. Just how related is he however? Well looking at Google Street View he works for A One Carpet Cleaning and has a van in front of his house. This company is supposedly owned by Amit Enkava but there are conflicting reports. Some places Uzi claims to own it. I think there is an interesting relationship here. 

I also missed something in one of the videos I posted in Containment. When I posted this video I missed Itamar mentioning who came out to clean his carpets. He said  "Uzi was here by 3:45am thank you A One". Oops, did he just say Uzi was here? Well I know it's the same Uzi as before because here you can see him in an A One Carpet Cleaning shirt.  So now we know for sure that Uzi works for A One carpet cleaning and not a friend who was visiting or something when the Google Car came by. Oh, and also the BBB lists Oz Malka as the president of A One Carpet Cleaning

Is this all Oz/Ezra/Uzi is into? Nope he owned a duct cleaning company called Las Vegas Air Duct but he closed or sold that and the trailer. Which the website of Las Vegas Air Duct now points to A One Carpet Cleaning. Verify for yourself. There are many other companies or sites that point to 10358 Catclaw Ct in Vegas like Mia Bella Cosmetics or MIA Reviews. Funny about that one it is reputation management software essentially and I think the way these guys handle reputation management is spin up a new company. You will find common cell phone numbers on each of these little tidbits as well. I spent a good bit of time Googling using "702-883-0000" or "702-244-0616 ". 

Photo Bucket

Picasa

This guy is extremely busy. But you still have not proven any connection to West Coast Movers, or even made a point yet. Okay I will quickly show my bit of proof that Uzi/Oz Malka at least knows of West Coast Movers and is handling or helping with marketing for them. You can find marketing material that they use to spam craigslist with in Uzi's Picasa or Photobucket  and I am sure they will remove them so here is a couple of screenshots of the mix of images. These images show A One Carpet Cleaning, the Duct work company, and West Cost Movers all together in one happy family. 

One other thing I found interesting is that all of the parties: Aviv, West Coast Movers, Doron Vaknin,  and Oz Uzi Malka are all friends on Facebook, and I know that does not prove anything but it's just more sticks on the fire. 

 I think we can say that Uzi has some business relationship with West Coast Movers even if he is not directly on the companies paperwork, it also to me ties into everything a relationship that shows how my stuff got pushed from one provider to another.

What concerns is me is recently Uzi Malka created a new moving company, he spun everything up in December of 2012 and my opinion is that he will be dumping West Coast Movers because of the negative reviews and start using Executive Moving & Storage. This concerns me because it seems like there is a pattern of making companies and dumping them later, this is just a shell game with the same people controlling the switches. 

Executive Moving and Storage uses the same DOT number as US1 Movers LLC and both are registered to the same address. This means the same service you received with West Coast Movers or US1 you will get with Executive Moving and Storage. When you call them and start asking questions they will say they have 10+ years in the business, what they don't say is it's been under multiple companies that they keep ditching.  I am sure once they start using this company they will start the next one up. There is no real consumer protection on moving, the lawyers that know transportation work for the industry and will eat you alive, the claims departments are not to help you they are to protect the company. You lose in this game. 

ProTipI was informed by an industry insider that it if a subcontractor is used it costs anywhere from $2 to $2.25 per cubic foot to move your things. This means a sub contractor is more likely to bump the cubic footage so they can make money. That is the going rate and it's an industry rate not a per company rate.

Make your php requests a bit safer

I am not by any means an Application Security expert, or even an expert, so take what I say with a (large) grain of salt, however I needed to solve a problem. I needed to find a solution that for the most part protects all the things from XSS and CSRF. Now, I realize this is impossible so I had to provide a way to opt out of these protections because somewhere someone needs to be able to pass scripts and such into forms.

So I came up with a simple php class that will do the following items.

  • CSRF detection of any detections
  • CSRF mitigation of any detections
  • CSRF logging of any detections
  • Detect when a form is not using CSRF protections and log.
  • XSS protections on all POST/GET fields
  • Ability to not filter for XSS some fields securely (only POST).

You can find the code on github. I am looking for additional ideas and improvements on the filtering and handling of this. 

You will need to modify the secure.requests.php file however to change a few variables 

private $securityKey = "make your own key here";
// valid actions are none, log, block, log_block
private $csrfVolationAction = 'log';
// log file we want to log too.
private $securityLogFile = 'csrf.log';

Then create the object and call safeRequest before any $_POST, $_GET, or $_REQUEST parameters are used. You will need to have the session started before you utilize this or start the code with a session_start .  To do this use the code below.

$sr = new SecureRequests();
$sr->safeRequest();

This will start the filtering and logging of forms that are submitted without CSRF mitigations. Once you are ready to use the CSRF mitigations you will need to create the object again if it's not available and use protectForm inside the form block

<form method="POST" action="/omgzors">
<?php $sr->protectForm('YourFormName', ''); ?>
<input type="text" value="" name="test_field">
<input type="submit" value="Go">
</form>

This will generate a few fields that get added to the form that will help with your mitigations. If you need to not filter a field in your form you can add the fields you don't want to filter and pass it to the protectForm function. 

<?php $sr->protectForm('YourFormName', 'list,of,form,fields'); ?>

Please let me know all the bugs you find in this or better ways to filter and lets make this better.