Thinkst Blog

We have been talking a fair bit over the past few years on what we consider to be some of the big, hidden challenges of information security [ 1 ][ 2 ][ 3 ]. We figured it would be useful to highlight one of them in particular: focusing on the right things . As infosec creeps past its teenage years we've found ourselves with a number of accepted truths and best practices. These were well intentioned and may hold some value (to some orgs), but can often be misleading and dangerous. We have seen companies with huge security teams, spending tens, to hundreds of millions of dollars on information security, burning time, money and manpower on best practices that don't significantly improve the security posture of their organization. These companies invest in the latest products, attend the hottest conferences and look to hire smart people. They have dashboards tracking "key performance areas" (and some of them might even be in the green) but they still wouldn't hold up...

"Communication flow in the TDS 4.2 protocol" [ msdn ] Our recent PyConZA talk had several examples of why Python is often an easy choice of language for us to quickly try things out. One example came from looking at network traffic of a client authenticating with Microsoft SQL Server (in order to simulate the server later). By default, we can't see what the authentication protocol looks like on the wire because the traffic is encrypted. This post is a brief account of stripping that encryption with a little help from Python's Twisted framework. The clean  overview  of the authentication protocol on MSDN suggests that it would as easily readable as its diagram. Our first packet captures weren't as enlightening. Only the initial connection request messages from the client and server were readable. Viewing the traffic in Wireshark showed several further messages without a hint that the payloads were encrypted. A clearer hint was in the  MSDN description  of the ini...

A few days ago, @jack (currently the CEO of both Square && Twitter) posted a pic of his iPhone. [ original tweet ]  It struck me as slightly surprising that both Square & Twitter could be using Gmail. Both companies have a ton of talent who deeply understand message delivery and message queues. I wouldn't be at all surprised if both companies have people working there who worked on Sendmail or Postfix. On some levels, twitter competes with Google.. ( if Google Pay is a thing, then so does Square ). Of course this is one of those times when you see a classic mismatch between " paranoid security guy " thinking, and " scale quick Silicon Valley " thinking. The paranoid security guy thinks: "So every time a twitter executive sends an email, people at Google can read it?" while the SV entrepreneur says: "It isn't core.. lets not spend engineering time on it at all". I'm not going to make a call here on which route is better bu...

Introduction This is part 2 in a series of posts on our 2015 BlackHat talk, and covers our Canarytokens work. You'll be familiar with web bugs, the transparent images which track when someone opens an email. They work by embedding a unique URL in a page's image tag, and monitoring incoming GET requests. Imagine doing that, but for file reads, database queries, process executions, patterns in log files, Bitcoin transactions or even Linkedin Profile views. Canarytokens does all this and more, letting you implant traps in your production systems rather than setting up separate honeypots . [ Read More ]

This year we gave a talk at BlackHat titled: Bring back the Honeypots. You can grab a quickly annotated version of the slides from [ here ] As usual, we had waaaaaay more content than time (which should have been expected with about 142 slides and multiple demos) but we like to live dangerously.. The linked slides are annotated, so you should be able to gather the gist of our thoughts, but some of them (especially the demos) do require their own coverage. Over the next few days, we will aim to put out 3 quick posts to cover the three sections in the talk: 1) Why we think Honeypots failed; 2) OpenCanary ( http://opencanary.org ) 3) CanaryTokens ( http://canarytokens.org ) As always, shout if you have thoughts, questions or comments.

Today we are super proud to bring you our newest creation: Thinkst Canary. We have been working on it for months and it feels really good to finally have it out there.. You can check it out at: http://canary.tools You can watch some of the thinking behind it here: You can watch it in action here: The videos were made with our early prototypes. The release birds are much much prettier! We think its insane that organizations that spent millions of dollars on cyber security took months (or years) to realize that they were breached. We think Canary fixes this elegantly and manages to do this at a super reasonable price-point. We have spent ages adding features, stripping features and making it a pleasure to use. Even on super complex networks, it takes just 5 minutes to get up and running (with enough time to make yourself a cup of coffee). With such a low rate of effort, we believe everyone should be running Canary. Please drop us an email ( canary@thinkst.com ) if you have any question...

We gave 2 talks at Troopers15 this year. Marco & Azhar talked about Sockpuppets and Censorship 2.0 . And i gave a somewhat hand-wavy talk titled: " The hard thing about the hard things " (Some pretty smart people seemed to like them, so its probably worth a quick watch)

As the Snowden leaks continue to dribble out, it has become increasingly obvious that most nations  planning for "cyber-war" have been merely sharpening knives for what looks like an almighty gunfight. We have to ask ourselves a few tough questions, the biggest of which just might be:  "If the NSA was owning everything in sight (and by all accounts they have) then how is it that nobody ever spotted them?” [ full post ]