Wednesday, December 26, 2012

Open Source Firewall Solution... Day 1

So I've been wanting to do this project for along time but never can seem to find time to get it done.  Nor can I seem to get the hardware available when it is needed.  When people are entering the Information Security field, one of the toughest things to do is get experience working with some of the software and hardware systems out there.  So if you can't get the experience at work, build something at home!

The Final Goal

I am finally working on putting together a UTM (Unified Threat Management) network in my home.  What that means in a simple form is the ability to catch malicious activity as it is happening on my home network and put a stop to it.  It isn't just one product that does this though.  It typically is a layered security approach relying on input from a number of things.  For example; firewall logs, IDS/IPS (Intrusion Detection/Protection System), Client Anti-Virus alerts, and whatever other logs you may have  at your disposal.  The core component around this is a log management system and/or a SIEM (Security Information and Event Management) solution.  In small networks such things may not be needed, but if you enter an enterprise network with thousands of servers, workstations, and network hardware, managing events can be very cumbersome.  If not properly staffed, things may fall through the crack.  It doesn't even need to be malicious, it could be something as simple as a hard drive failure.  A simple log management solution will collect the logs from the many devices, but you still need to parse out the data and try to connect some dots.  The SIEM is the key, this will help with that and in some cases it can correlate the data with other logs that are being collected and can alert on suspicious activity.  So I never really got to put something like this together, since I am currently in a "hands off" position.  I get to plan it out on paper, make some recommendations bases on research, but someone else will be tasked to build it.  Frankly I like getting my hands dirty and I like having proof that I know what I am recommending.  So I look at building this stuff in my home lab.  On to the build....

What is needed to get started...

Using the following site for guidance: Build your own IDS Firewall with pfsense.  We will be using the open source firewall solution called pfSense.  My build is actually just the firewall with no guest wireless.  Hardware wise, I will be using a small Micro-ATX system I call my Shoebox.  It is running an atom processor intel board, 2GB of RAM, 250GB 2.5" SATA drive, and a CD-ROM.  It is about the size of a shoe box.  The Atom board runs pretty quiet as well, so if you don't have a dedicated network closet, no big deal.  The system also has two network cards.  It has the on-board NIC and a PCI based Intel Pro 1000.  If you want to follow the linked guide, you will need to have a dual port PCI NIC.

Day 1

Nothing to fancy here since I got started a little late.  You will need to have a keyboard and monitor for this part.  Afterwards is either the WebGUI or SSH.  I downloaded the USB boot image of pfSense and used physdiskwrite to image a 4GB flash drive from my Windows desktop.  For anything greater than 2GB, you will need to use the "-u" switch with the command and you will need to run the command prompt as Admin in order to see the drives.  pfSense is now bootable from the flash drive.  At that point I fired up Shoebox with the USB connected and followed the Default startup mode.  You can pretty much let it boot with the defaults.  It will take you through the interface configurations.  From here I strayed from the guide since I was not yet ready to connect to the "WAN" (my cable modem).  So I just popped the ethernet cable between each interface as I was prompted.  I did find that the auto-config was not exactly picking up the interface, so I had to manually enter the name.  You will see this during the first request to auto-configure ("a").  In my case the intel PCI NIC was "em0" and the RealTek on-board NIC was "re0".  Once the network configuration was complete, you will see the pfSense menu.  Before I proceeded, I reset the LAN interface since it uses 192.168.1.1 by default.  I switched it to reflect my current network but using option #2 from the menu - Set Interface(s) IP Address.  I then chose to install to hard drive.  Basically this part takes the information saved to RAM and builds the image to the local hard drive.  Use the Quick/Easy Install method.  My first attempt lead to some annoying boot errors with ACPI.

Installation completed and you are then given the default username/password and the WebGUI address https://<LAN_IP_Address/.  It will use a self-signed cert so you will see a warning when you first connect.  You can always add the cert to your trusted list or you can be a real go-getter and get your own trusted cert from a third party.  But that costs extra and I am a little lazy.  After finishing up changing the default admin password and adding a normal user for SSH access later on, I pretty much called it a night.  Tomorrow I will move the device to the WAN and test connectivity.  Then I will create some firewall rules and get SSH working (for internal use).  Stay tuned....


Sunday, October 7, 2012

DerbyCon 2.0 review and other ramblings

Yes this is another DerbyCon review.  I'll try not to write the same stuff as the other 1500 blog reviews already out there.  I will say that it was awesome, and I think those of us that attended will agree on that fact.    First and foremost, if you are interested in pursuing a career in Information Security, you must attend a conference such as this.  The setup makes it very accessible for attendees to engage in great discussions around hacking, InfoSec and just about anything else.  Don't worry, you don't need to be a traditional hacker to get something out of this Con.  I met a programmer who currently does nothing with InfoSec.  He wants to learn more about the threats as well as why secure coding is important.  Even though you don't need to hack to enjoy yourself, you may find yourself attempting to pop a lock in the LockPick Village, or maybe picking up a soldering gun in the hardware village.  After you leave this Con, you may even look at picking up a Raspberry Pi to play around with.  This is a true community event where one is surrounded by people willing to share their knowledge.

The speakers made themselves pretty accessible, you did not need to wait in long lines to get seat for a talk, and you didn't need to leave a talk early to get to another talk.  Speaking of talks... well they had such a large volume of CFP entries, that they had 4 main tracks, they were separated into: Break Me, Fix Me, Teach Me, and The 3-way (a mix of the other 3) and opened a 5th track called "Stable Talks."  There were so many great topics, it was very difficult to determine which ones to attend.  Luckily they captured the 4 main tracks on video and most of them are posted to YouTube.  You can get to the full list at IronGeek's (Adrian Crenshaw) page: DerbyCon Videos.  Although the Stable Talks were shorter, that didn't affect the quality.  I think some of these talks will move into the main tracks next year.

So I arrived Thursday afternoon. Unfortunately, I was not there early for the training, which was going on Thursday and Friday morning.  They had a number of quality training opportunities which covered everything from Social Engineering to Reverse Engineering.  Thursday evening I was able to grab some dinner with a fellow EH netter (ethicalhacker.net member).  We discussed some of the finer points of working in a large organization and trying to push proper security procedures.  We were later joined by two more members and continued the discussion over Ethiopian food (which was mighty tasty).  Later that evening I was able to experience my first SlideShare Roulette at "Whose Slide Is It?".  For those that don't know, this is basically a test of one's presentation skills.  The moderator will pick a random slide deck from the slideshare.net site based on topic suggestions from the audience.  The presenter then must use his/her skills and work with the given slides.  It got interesting when the hotel staff arrived with 100 shots of bourbon courtesy of HD Moore (CSO/Chief Architect @ Rapid7).

Friday morning was pretty much just hanging out and waiting for the opening ceremonies.  There were some great discussions going on in the hallways and main lobby of the Hyatt.  Some of the best talks can be found in these "hallway cons" so I highly recommend getting involved in these sorts of discussions.  You will learn something and you may even have a different point of view to add that could benefit the group.  Eventually 1:00 pm rolled around and the talks began!  They kicked it off with keynotes from HD Moore's The Wild West, Dan Kaminsky's Black Ops, and Mudge's talk about the Cyber Fast Track program from DARPA.  After dinner the 5 tracks began and continued through the weekend.  I will not do a review of the talks I attended since I was pretty much in absorption mode and I am still catching up on the ones I missed as well as re-watching those I attended.

As I touched upon earlier, there were a number of events going on during and after the talks.  The big one was the CTF (Capture The Flag) competition.  Your mission is to use your skills in hacking to find all the flags on the CTF network.  I attempted but never got on long enough to even find the "beginner" flags.  This was in part due to the WiFi network for the event being unavailable and the bouncing in and out of talks.  These competitions are best handled by teams since the expertise needed to find the flags will vary.  You may have to write an exploit or use some forensic skills to find the various flags.  Hackers For Charity (HFC) held both a silent and regular auction throughout the weekend.  They raised over $33,000 thanks to the very generous community.  If you wanted to just wind down you can head over to the theater for the Hacker Movie Marathon.  Maybe you want to know if you should get your CISSP, but you aren't sure if you have the right knowledge, then you could have headed over to "Are You Smarter Than a CISSP?" held on Friday night.  You were given questions from each of the 10 CISSP domains, you can choose to answer them yourself or discuss it with the panel of actual CISSPs.  They were also available to save you if you got a question wrong.

Sadly Sunday morning came and it was time for me to leave the land of bourbon and horses.  Unfortunately there were still a slew of talks and the closing ceremonies to attend but I will catch them on video.  Next year I will plan on taking the training and staying until the closing ceremonies!  One more thing specific to the conference, a big THANKS! to the organizers and volunteers.  They made this such a great experience that I am still missing it a week later.










Wednesday, August 22, 2012

Basic Security and You... and your friends, and your clients...

It seems as if now-a-days when someone mentions Information Security, the first things that might come to mind are the dreaded words: APT, China, and Cyber War.  But there is much more to it I think.  The government is definitely on the cyber war kick.  With nation states actively sponsoring attackers, and defense contractors locking up their IP tighter than the great firewall of China, who could blame them?  I mean viruses and other malware just jump through the air now and land on systems that are supposed to be off the grid!  Its madness!!!  The apocalypse is not coming on December 21st, it is already here!  So while all the big boys fight it out with their budgets and search for the newest best shiny toy or magic unicorn slaying bullets, what are the little guys doing?  Who is protecting them?


Over the weekend I was messing around with Shodan (http://www.shodanhq.com).  For those that don't know, this is basically a search engine to find online devices such as routers, webcams, VoIP phones, Power plants, and Wind Turbines... wait what?  Yep, you know those important systems that feed our electrical grid and people are always concerned with being attacked? But  that is a discussion for another time.  So back to this awesome tool and its many uses...  Now one might ask, "How can something like this be allowed to exist???"  Well that is easy, the data it searches is publicly available on the Internet.  It searches based on any number of criteria such as open ports, website headers as well as response banners.  You can also drill down to specific locations.  For example you can search for open FTP ports in your home town.  Now I am not from Tampa, but I didn't want to out my own town.  So as I was popping in different ports to search on, I stumbled across a list of open RDP (remote desktop protocol)  ports.  Of course my curiosity gets the better of me and I find one device is a Windows XP system that could possibly be linked to say a financial department at a local University.  I was like oh fudge (only I didn't say fudge)!

OK, so why is this so bad?  I mean after all the staff must need to work from home and the school doesn't want to give them laptops for the fear of them being lost with important data on them.  But I am sure they encrypt all their laptop hard drives right?  Sadly I doubt it.  But who cares about laptops when you can just walk up to the front door and ring the door bell!  Someone might say "so what, even if they attempt to log in using a brute-force password attack, the accounts will lock."   But there is more than one way to skin a cat.  Enter Microsoft Security Bulletin MS12-053.  This is a vulnerability in Remote Desktop which could allow remote code execution.  Essentially, using the RDP service, I can send instructions to the target without actually having to log onto the system.  Well I can't, but I am sure someone much more talented than I, can.  So this is a big deal, can an organization confirm that they are 100% compliant with patching to prevent these attacks?  Knowing how much work it takes to keep a much smaller shop compliant, I would say, no way!  But who knows, maybe they are.  It still begs to question, if they are so sure of their compliance, why are they not using much more secure methods of granting remote access to their network?  So this brings my long winded rant to a close and I will leave you all with the following thought...

I had no luck with my other University contacts, so I am now tasked with the next steps:  Do I track someone down at the school and say "um... you dropped something here" and show the them site and query?  Or do I say screw them and their crappy security and move on?  The enterprising youngster in me say, "hmmm could be a nice lead."  But the paranoid adult in me says "Hell no they will probably think you are hacking their network!"

So what do you think?  Leave your comments below!

UPDATE 10/15/2012
Sent the "Data Security Admin" an anonymous email stating the problem and heard nothing.  Oh well I tried.  On to the next task.

Sunday, July 29, 2012

Coffee...

As I sit here ingesting my second cup of the drinkable java, I sit and wonder the advantages of drinking it black.  For those that don't know, when you take it black it means nothing added... no sugar and no lightening agent.  The advantages of consuming said beverage in this manner are few but can mean so much to some.

For example, the health implications of drinking coffee black are as follows: 
  • You intake less daily sugar, my average before was at least a table spoon per cup.  If you go to the local donut shop, you are looking at almost 4 tbsp in the average "Light 'N Sweet" request.  A tbsp of sugar equates to roughly 45 calories.  Here's some quick math:
    • 1 tbsp of sugar = 45 calories
    • x = # of tbsps
    • y = # of cups of coffee (10oz) / day
    • d = # of days
    • ((45*x)*y)*d = total number of calories from just sugar
Looks scary huh?  So toss some numbers in there, my average was a tbsp / cup, twice a day for 5 weekdays with an average of 1 cup per weekend so we will say for 6 days.  540 calories just from sugar in coffee.
  • If I add 2% milk to my coffee, that is another 16 calories per 20oz (based on 130 calorie per 1 cup of milk).  That also includes the sugars.  Add that into the equation and now you have 732 calories per 6 days.  Of course that will increase/decrease depending on the type of milk used.  If you prefer half n half, you are looking at 20 calories per .5 oz container.
OK so there are some health facts related to drinking coffee black and this assumes you can control what is put in.  I prefer adding just some cinnamon to the coffee for some aromatics as well as some additional health benefits of the spice.  A friend at work recommended that and it seems to be working.

So we have the healthy stuff taken care of now lets move on to more practical benefits of drinking it coffee as it was meant to be drunk.
  • You go to the fridge and realize you are out of milk!  No worries, you don't need it because you drink it black.
  • You go to the fridge and grab the milk and are about to lighten your coffee but you notice the expiration is well passed.  You figure well quick smell test, it seems slightly off but maybe it is still good for coffee, you take a quick sip and realize NOPE!  It's way off!  Again, no worries, you drink you coffee black, put the milk back in the fridge and let some other poor sap discover its bad (I keed I keed... ).
  • You open the sugar container and attempt to get your tbsp of the sweets and realize it has hardened into an impenetrable rock.  You are already running late so you have no time to chisel out a cube or two.  Again you realize you don't need to, proceed to cap your travel mug and head out the door!
  • Drinking coffee black also reduces any mysterious loss of the precious nectar due to ninja tactics made by your spouse who didn't have time to make her own cup of coffee and just needs a quick fix. One sip of the unsweetened ecstasy, and she/he will never attempt such tactics again.
So there you go, I hope you found this informative.  It isn't InfoSec related but it does focus on that wonderful life blood needed to get us through the day.     

Saturday, June 30, 2012

So this box keeps popping up about something wanting to do something....


I'm sure those of us in IT have never heard such a comment from friends, relatives or random stranger on the street who sees you messing around with some fancy gadget.   But in case you have we probably spend as much time trying to tell them how to send us a screenshot of the message, error or fake antivirus warning that they have had for the past 3 months but didn't bother telling you about it...

If you haven't figured it out just yet, I received such a comment today from my dear old Dad.  Unfortunately I could not remote into his computer to see this mystery box; I know I fail for not trying while driving home from work.  So I told him to take a screenshot of the message and email it to me.  Naturally he did not know how to accomplish this task so I told him I would email him some directions tonight.  Which lead me to the blog that I have neglected for the past couple months.  The next few minutes I will enlighten those of you non-techies on how to take a screenshot.  After all, I picture IS worth a thousand words (sorry)...

First what tools are available for taking screen shots?  Well it depends on your platform.  Here is a simple breakdown:

Right-CTRL+ALT+Print Screen:  Key stroke based and supported in Windows XP and Windows 7.  Actually this pretty much existed since Windows 95 I believe.  It takes a screen shot of the active window.  This works great for those pop-ups so you don't capture your entire desktop.

Snipping Tool:  This is present in Windows 7.  It is accessible from the Start Button>All Programs>Accessories>Snipping Tools (see image at the left).  This tool allows you to select a section and capture it.  You can then save it or copy it to that email you will be sending to your family helpdesk rep.

GreenShot:  This is my personal favorite capture app.  It is a free opensource utility available at http://getgreenshot.org/.  This is available for Windows XP and 7.  I find it a bit more versatile than Snipping Tool and you can map it to Print Screen.  This makes it seem faster to take screenshots.  It will automatically save the file after opening.  It also gives you some markup tools (shapes, arrows, etc…).  This is excellent for documenting processes with screenshots.

Now that you have the tool set available, it’s time to get a shot.  For simplicity sake, I will use Snipping Tool but by all means use whatever method is easier (Greenshot).   The Windows 7 Snipping tool is pretty cut and dry.  It can be accessed by navigating the Windows 7 Start menu and you will find it under “All Programs” and it will be in “Accessories.”  Alternatively you can type “Snipping Tool” in the search box in the start menu.

Once it opens it will be in capture mode, the screen will get “foggy” and your mouse cursor will become cross hairs.  Simple click and drag across the area you want to capture and then left go.  The image will open in the snipping tool for further editing and saving.  That is all it takes for getting that pesky error box captured so you can send it to your very computer literate friend, brother, sister or cousin.  One limitation to Snipping Tool is if you are trying to capture the start menu.  It will close each time you click off to go to the tool.  That is when I love having Greenshot.

Enjoy!