TaoSecurity Blog

Jack Crook  pointed me toward a story by  Christopher Burgess  about intellectual property theft by "Hongjin Tan, a 35 year old Chinese national and U.S. legal permanent resident... [who] was arrested on December 20 and charged with theft of trade secrets. Tan is alleged to have stolen the trade secrets from his employer, a U.S. petroleum company," according to the criminal complaint filed by the US DoJ. Tan's former employer and the FBI allege that Tan "downloaded restricted files to a personal thumb drive." I could not tell from the complaint if Tan downloaded the files at work or at home, but the thumb drive ended up at Tan's home. His employer asked Tan to bring it to their office, which Tan did. However, he had deleted all the files from the drive. Tan's employer recovered the files using commercially available forensic software. This incident, by definition, involves an "insider threat." Tan was an employee who appears to have cop...

Yesterday I posted about DetectionLab , but noted that I was having trouble with the RDP servers offered by Virtualbox. If you remember, DetectionLab builds four virtual machines: root@LAPTOP-HT4TGVCP C:\Users\root> "c:\Program Files\Oracle\VirtualBox\VBoxManage" list runningvms "logger" {3da9fffb-4b02-4e57-a592-dd2322f14245} "dc.windomain.local" {ef32d493-845c-45dc-aff7-3a86d9c590cd} "wef.windomain.local" {7cd008b7-c6e0-421d-9655-8f92ec98d9d7} "win10.windomain.local" {acf413fb-6358-44df-ab9f-cc7767ed32bd} I was having a problem with two of the VMs sharing the same port for the RDP server offered by Virtualbox. This meant I could not access one of them. (Below, port 5932 has the conflict.) root@LAPTOP-HT4TGVCP C:\Users\root\git\detectionlab\DetectionLab\Vagrant> "c:\Program Files\Oracle\VirtualBox\VBoxManage" showvminfo logger | findstr /I vrde  | findstr /I address VRDE:                        enabled (Ad...

Many security professionals run personal labs. Trying to create an environment that includes fairly modern Windows systems can be a challenge. In the age of "infrastructure as code," there should be a simpler way to deploy systems in a repeatable, virtualized way -- right? Enter DetectionLab , a project by Chris Long . Briefly, Chris built a project that uses Packer and Vagrant to create an instrumented lab environment. Chris explained the project in late 2017 in a Medium post , which I recommend reading. I can't even begin to describe all the functionality packed into this project. So much of it is new, but this is a great way to learn about it. In this post, I would like to show how I got a version of DetectionLab running. My build environment included a modern laptop with 16 GB RAM and Windows 10 professional. I had already installed Virtualbox 6.0 with the appropriate VirtualBox Extension Pack. I had also enabled the native OpenSSH server and performed all...