tag:blogger.com,1999:blog-18559955976012732982024-02-06T22:23:39.947-05:00Brain DroolAnonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.comBlogger27125tag:blogger.com,1999:blog-1855995597601273298.post-66891124662375746592016-07-10T08:43:00.001-04:002016-07-10T08:43:56.921-04:00Stale Blog SyndromeIt seems the only time I come here to post anything is when I am procrastinating on something else. For example, right now I should be working on my slide deck for my talk coming up next Saturday. If you are interested in watching me hopefully not suck too bad, come to <a href="http://www.securitybsides.com/w/page/107046219/BSidesCT2016" target="_blank">BSidesCT 2016</a> at Quinnipiac University next Saturday July 2016. Some evil person decided to put me right after the Keynote (no pressure). So come see me if you want to learn how to deal with the business moving apps and services into Microsoft Azure from an information security standpoint.<br />
<br />
If you want more up-to-date InfoSec write-ups feel free to check out my other blog over at <a href="https://nutmeginfosec.com/" target="_blank">NutmegInfoSec.com</a>. There are some interesting things about malicious JavaScript downloaders and replacing humans with technology. For now it is back to my slide deck.<br />
<br />
-DewserAnonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-8354959175545887662015-05-02T09:47:00.001-04:002015-05-02T09:47:43.700-04:00Windows in the IoT spaceSo this past week the annual <a href="http://www.buildwindows.com/" target="_blank">Microsoft Build Developer Conference</a> happened in San Francisco. During many of the key note talks, Microsoft announced a bunch of their new platforms and products. Among them was Visual Studio 2015, Windows 10 Insider Preview, and Windows 10 for IoT. <br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg99Abqv6ycHbxiU4W_260Xg6hH1uZU0a3NQZGsGS1W8362E6uZNzpuMM4UioMKLlWuoa1BTdhdELVYI-s3aagCRQT6YCE9GvG9HTYXf-opWusuDlCT6_8Xbxg2DTdFsMd0-6vwgPVrzKs/s1600/catinternet.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg99Abqv6ycHbxiU4W_260Xg6hH1uZU0a3NQZGsGS1W8362E6uZNzpuMM4UioMKLlWuoa1BTdhdELVYI-s3aagCRQT6YCE9GvG9HTYXf-opWusuDlCT6_8Xbxg2DTdFsMd0-6vwgPVrzKs/s1600/catinternet.jpg" height="216" width="320" /></a>For my non techie friends and family, IoT = the Internet of Things. So what does that mean? Well as our computing devices get smaller and smaller, we are able to create more things that can connect to the ever growing internet. It isn't just your computer or mobile phone anymore. We have tablets, game consoles, smart TVs and other media devices. We now also have thermostats (<a href="https://nest.com/" target="_blank">Nest</a>), home automation systems, refrigerators, toasters, small robots, cats and dogs living together MASS HYSTERIA!<br />
<div class="separator" style="clear: both; text-align: left;">
For the most part this space has been frequented by micro-controller boards like the Arduino, Beaglebone, and the much smarter Raspberry Pi computers. Newer and smaller boards have now entered the market and they have come ready for the internet. <a href="http://spark.io/">Spark.io</a> has been releasing a different board every few months. Their first was a Wi-Fi enabled Spark Core, then came the much smaller Photon (about the size of a postage stamp), and now they have a cellular enabled board called the Electron. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So with all this IoT growth, it is only natural that Microsoft decided to jump in the pool. As a software company, you almost need to be in there if you want to stay relevant. So what's this new Windows 10 IoT all about? Well it is the latest in Microsoft's embedded OS. As of now they are supporting 3 hardware platforms - Raspberry Pi 2, MinnowBoard Max, and Galileo. Galileo has supported previous versions of Windows embedded but does not yet support Windows 10. But Microsoft has instructions on how to <a href="http://ms-iot.github.io/content/GetStarted.htm" target="_blank">get started</a> anyway. I will focus on the Raspberry Pi 2. This latest version of Pi was released a few months ago and is a pretty impressive tiny computer (<a href="https://www.youtube.com/watch?v=e1yDSUpQHNc" target="_blank">just don't use high powered camera flashes next to it</a>). With a 900MHz quad-core ARM Cortex-A7 processor and 1GB of RAM, it certainly has some juice to run a scaled down Windows OS. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So what will you need to get going? Well first a Raspberry Pi 2, availability is up and down so grab one when you can. Next you will need something to run Windows 10 Insider Preview (current version is 10074). I ran it in a VM but there are some very annoying bugs in the current version. I have not run it on a physical device yet since I don't have spare laptops lying around. You will also need Visual Studio 2015 to do development on. Follow the instructions on their github page. Flashing the SD card is pretty straight forward. Once the Pi is booted up, you will have a screen with some basic information including the name of the device and it's IP address. You will need to hardwire it with ethernet as it does not appear to have any out-of-box support for your standard wireless controllers. Once you have the device info you can connect via Powershell from your dev box. This can be done from Windows 7 or 8.1 running updated Powershell. There are a few other steps you must complete to finish the setup. Unfortunately the rest of the development requires Visual Studio 2015. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
One thing to note about Windows IoT, it comes with remote debugging enabled. So I would recommend not tossing this on the public internet until it is production ready. Visual Studio 2015 does have some IoT management features, hopefully that will allow you to enable/disable remote debugging when required. The geek in me is loving all this, but the security guy wants to start drinking heavily. The world is becoming more and more connected each day. Some of these technologies are improving our lives in various ways. We have more energy efficient homes, doctors can perform maintenance on healthcare devices without surgery, parents can keep track of their children, and brew masters can monitor their brewing processes without spending long hours at the brewery. But with every newly connected device there is a new possible risk for exploitation. Nothing is unhackable. If a vendor tells you this, they are lying. So if it can be turned on or off, it can probably be hacked. But without hacking we would probably not have our most successful breakthroughs in science and technology. Just like the discovery of nuclear power, it is both a great energy resource and extremely destructive force if put in the wrong hands. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
So, don't be afraid of the Internet of Things, go out there, make something! Who knows maybe that something will be used in future space explorations or help an amputee walk again! </div>
Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-6288551588093368032015-01-20T13:51:00.002-05:002015-01-20T13:51:59.055-05:00Not a lot of drool lately... but how bout hacking in the mainstream eh???"You work dark alleys, I work the dark nets..." So that is the tag line that Patricia Arquette's character drops during the latest trailer for the next installment of CSI, <a href="http://www.cbs.com/shows/csi-cyber/video/4121F32F-124A-BA57-81AD-D0C357F792D4/csi-cyber-series-premiere-preview/" target="_blank">CSI: Cyber</a>. It was bound to happen sooner or later. With high profile breaches like Sony Pictures, Target etc etc.. Hollywood is cashing in on the idea of digital terrorists and cyber criminals stealing anything not secured stored in a fireproof, airtight container at the bottom of an ocean. Seriously it is terrible out there. It was hard enough keeping track of the latest vulnerabilities and exploits so we can defend out networks, but now this stuff has hit the main stream. So this is both a good thing and a bad thing.<br />
<br />
I'll start with the positives... We, as security pros, now have a way to explain to our non-technical associates and managers about the dangers of the internet. Granted the material in the TV and Movie versions of our daily lives is a bit inaccurate (I'm being nice), it is still being put out there. Sure we can go back to great movies like <a href="http://www.imdb.com/title/tt0086567/" target="_blank">WarGames</a> and <a href="http://www.imdb.com/title/tt0105435/?ref_=fn_al_tt_1" target="_blank">Sneakers</a>, but they are a bit dated (Sneakers is still my favorite). <a href="http://www.imdb.com/title/tt0244244/?ref_=nv_sr_1" target="_blank">Swordfish</a> was a good flick as far as action goes and well Halle Berry made it even more tolerable, but know one out there is going to hack the NSA in 60 seconds at gun point and... well you saw the movie. Oh wait I was supposed to be positive here. So yeah it gets the concepts in front of the civilians. They now know there is a danger out there in the digital landscape. Information is not as private as we once thought and anyone with motive and ability will do their best to get at it. This will certainly help those of us who struggle with securing budget to improve our current environment. That larger budget will help us bring in additional staff, train our current employees and install that SEIM we've been wanting all these years. Now when the CIO questions your budget you just need to say "Because Blackhat!". OK, you will need to do more than that but it will certainly help sway their opinion on your needs. Also I say "CIO" because there are still big corps out there that have not yet gone the route of having an official CISO to handle InfoSec. Also no reason you Sys Admins can't use the same argument. <br />
<br />
OK so the negatives were mixed in with the positives a bit. Something that I think these Hollywood interpretations of hacking may do is set an unrealistic expectation on our current security teams. I mean, companies are going to expect their IR teams to be able to handle themselves in a firefight, or decrypt anything with a power cable attached to it, and maybe even go toe-to-toe with trained assassins while getting root on the Unix server. Sounds exciting huh? Believe me there are days where we wished it was a little more exciting. The reality of it is that our jobs, on the outside, do not look all that awesome to the non-tech folks. I mean if they tried to make a movie about what most of us due but still include action, this would be the result:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/3aipwDzC2hw?feature=player_embedded' frameborder='0'></iframe></div>
Don't get me wrong, in our minds and what we see, we do pretty exciting stuff. But some folks may just think we are nerding out over some code or the latest gadget. Now we can scoff at this latest trend in Hollywood or we can use it as a tool like we use PCI or HIPAA, to get what we want from our senior management. <br />
<br />
Well, ranted enough for the day. I'll have more here in the coming weeks I imagine. For now you can also head over to <a href="https://www.nutmeginfosec.com/" target="_blank">Nutmeg Infosec</a> and keep up with some stories there!<br />
<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-33834303562543247092014-11-02T21:22:00.000-05:002015-01-20T12:06:34.341-05:00It's been a busy October but it is over!<div style="text-align: left;">
</div>
So on top of the regular work activity, I have been trying to put together an active security meetup here in the great state of Connecticut. Doing that and helping the wife put together our annual Halloween party, has certainly sucked away some vital blog writing time. But the holiday is over and the next couple are usually pretty tame so back to the keyboard! <br />
<br />
So like I said, I have been working on getting some of the security pros in the state out of their corporate offices and into the laid back setting of a meetup. We had one decent meetup so far and I am planning on finishing out the year with at least 2 more. I will also be moving many of my security related posts over to the new meetup site - <a href="https://www.nutmeginfosec.com/" target="_blank">NutmegInfoSec.com</a>. Along with the main site, we have a <a href="http://www.meetup.com/Nutmeg-InfoSec/" target="_blank">meetup group</a> too. So if you are in the CT area and you want to share your experience with others, feel free to check us out. We meet once a month, currently at <a href="http://nesit.org/" target="_blank">NESIT Hackerspace</a> in Meriden. We try to have a couple people do short presentations on topics of interest that vary from the typical hackery of pen testing, to defensive strategies as well. You can also follow us on Twitter <a href="https://twitter.com/NutmegInfoSec" target="_blank">@NutmegInfoSec</a>.<br />
<br />
So that is all for now, I should have something techie up in a couple days, going to do a short write up on the Ubiquity UniFi Access Point and if you head over to NutmegInfoSec, there will be a brief post about building your own Tor router using a Raspberry Pi.<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com2tag:blogger.com,1999:blog-1855995597601273298.post-87604535995300545212014-09-13T08:50:00.000-04:002014-09-13T08:50:24.745-04:00Good on you Microsoft!So as I began writing this, I sit and stare at my other computer "preparing" to configure Windows after the latest batch of Microsoft updates have been installed. But I won't let that bother me as it hasn't blue screened...<br />
<br />
So in a recent <a href="http://www.zdnet.com/microsoft-refuses-to-hand-over-foreign-data-held-in-contempt-of-court-7000033508/" target="_blank">ZDNET article</a>, Microsoft is being held in contempt-of-court for not handing over data, that is stored on servers in Ireland, to US Federal Prosecutors despite a warrant. So those of us who have worked for/with companies that have an international present, in particularly within the EU, know that it isn't a simple matter of saying "oh we own the servers, so we have the final say in what we do with that data..." Fortunately/Unfortunately (depending how you look at it), the EU privacy laws are much stronger than most other countries. So the fortunate part of this is that it puts our wonderful "World Police" mentality into check. People need to play nice around here, so if a foreign government is willing to work with us on something, then cool. If not, guess you need to go a different route in the prosecution.<br />
<br />
So if Microsoft said, "Sure buddy! here you go, all the foreign internetz!" Then they risk breaking the law in the foreign country. So damned if you do, damned if you don't. I once had to do some forensic work on a system in another country. That branch of the company needed to have their export folks and the privacy law dogs review the system before allowing me to take a forensic image. Even though we were the parent company, we still had to allow them to approve it. So it is a sticky matter when dealing with these situations. The "Unfortunate" part of all this is if one is doing a forensics investigation on something critical like a targeted attack, well time is everything! Lawyer types are not known for their speedy response on a decision. <br />
<br />
So what are your thoughts? I'd be interested in hearing them.Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-2158605155486475862014-09-10T15:54:00.000-04:002014-09-10T15:54:15.237-04:00It's Always the User's Fault...Throughout our career as Information Technology/Security professionals, we have, at one point or another, blamed a user for the problem. Granted there are some pretty good cases out there where it certainly is their fault; for example, using the CD tray as a coffee cup holder, or spilling soda in the keyboard then denying that they did it, and maybe attempting to fix the problem themselves and only making it worse. Seriously, one time I was working for University and I had to come up and check on a staff member's computer. I look at it and see a bunch of the power cables hanging out of the case. I look at them and ask if they attempted to fix it themselves, and they straight up denied it. So yeah we like to blame them for most, if not all of the problems. In Security we are no better. <br />
<br />
The debate is a hot one these past few weeks in lieu of the latest series of breaches, in particular the celebrity photos being leaked. Now our first two comments on the matter are usually "You shouldn't take nude photos of yourself with your phone if you don't want it on the internet..." and "Why are you not using strong passwords!!?!?!?!" To those of us in security, these things are just common sense. For those not in this particular industry, they put trust in us to secure a system so they don't have to worry about such things. This is a pretty logical assumption from someone NOT in the security profession. But we all no better, don't we? Contrary to popular belief, this is something that was not instantly built into our DNA. It took years of experience to make us hardened pessimists of all things tech. We have seen what happens when things don't work right. We have worked for companies who have cut corners on a product just to get it out the door. We all know security is looked upon as a cost center, not a revenue driver. So if it comes down to making a product so simple to use that even the likes of the Kardashians can figure it out, then sometimes security is tossed out.<br />
<br />
Can you make things extremely functional without skimping on security? Certainly! Is it easy? Hell no! But then if it was, many of us would not have jobs. So how do we fix this? After all it is a growing problem that doesn't seem to get better despite everything we tweet and post about. I think first, the main stream media just needs to stop... seriously, they are horrible at covering these types of news stories. Rather they need to get more REAL experts to comment and offer sensible recommendations. The larger news outlets are getting better at it by bringing folks in like Dave Kennedy (Trusted Sec) or tapping Dan Kaminski. But the smaller stations are really not there. So if you know folks at your local news organizations, reach out to them and let them know you have the answers! As for the companies who make these products, well the only way we can help is by taking on the difficult position of working for them and making things right. Then again, they have to be willing to compensate such positions appropriately.<br />
<br />
Ok, I think that is it. Guess I'll shut up for now. I have some letters to write to my local news outlets!<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-53966594785269437382014-09-10T09:05:00.001-04:002014-09-10T09:05:35.568-04:00Story of an IT Pro: Volume 2 "The Choice"<div dir="ltr">
If you haven't read <a href="http://braindrool.dewser.com/2014/09/story-of-it-pro-volume-1-beginning.html">Volume 1 "The Beginning"</a>, check it out now.</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
So fast forward from that time where I worked in K-12. I had worked for the school system for a little over 4 years and it was time to move on. For those that have been in IT for a while, you know that the jobs can get stale which can cause you to burn out. I was there and it was time to go. I took a job with a consulting company which offered a nice pay increase as well as possible training opportunities (later I found this to be exaggerated a bit). The job was a love/like/hate relationship. I loved the amount of experience I was getting from all the different environments and systems. I loved that I had people above me that had much more knowledge than I did on a number of related topics. I liked most of the people I worked with. I hated the travel. Now I had an idea that I would be on the road a bit more than a normal 9-5 with a standard commute, but it does drain you and can cause you to make some poor decisions in handling your job. Now that being said, I still would not have traded that experience. I think 5 years doing the same job in IT is a pretty good run. Will I ever take on a job like this again? Certainly not, but I would still recommend that if you are new to the industry, a consulting job will be your best bet to gain a significant amount of experience. Just do your research on the company before hand. That is all I will say on the matter in this post. I may right something in the future on the topic. </div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
Back to the story... So I was getting burned out and InfoSec was just starting to become a hot topic, at least in my world. We had one guy in the company that held a strong interest in the art of penetration testing. Sadly, at this time, there was little call for it. We mainly did vulnerability assessments since no one wanted to pay for the full penetration test and/or risk having their systems down if we succeeded in the test. This field of study fascinated me. So I began doing some heavy research in the topic. I provisioned some systems in my home lab to play with and started using twitter so I can follow some pros. I filled my iPhone with all sorts of security podcasts. I was really into it. After I learned that with good security, one can eliminate a number of the small day-to-day fires that Sys Admins have to deal with, I made a choice to pursue this as a career. So I updated my professional development plan and let my manager know this is what I want to do. And shortly after that, the lead engineer for Security Services gave his notice. Well I still tried to take on more security related tasks but eventually, it was time to look for something new. </div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
Remember that thing about burning out? Due to a couple bad calls on my part, it was decided that the company and I were no longer a good fit. I was able to take a nice semi-paid 3 week vacation before going back to consulting. I took a job with another consulting company to pay the bills. But it was not the job I was looking for. If it wasn't clear, the choice I made was to pursue a career in Information Security. I really didn't know what that meant exactly. I did know what I didn't want to do, and that was to have to troubleshoot printer issues forever. So I was determined to find the job that would support my new goals. I wanted to find things before they became problems. I wanted to prevent the common day-to-day fires caused by improper anti-virus software installs and poorly configured firewalls. During that short stint with that other consulting company, I was presented an opportunity to take on a Security Administrator role in a local not-for-profit insurance company. So I jumped at! You have to do what is good for you. So you find that new job, write your resignation letter, and part ways...</div>
<div dir="ltr">
<br /></div>
<div dir="ltr">
Continued in Volume 3: Career Advice</div>
Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-8902536271569554222014-09-01T11:23:00.000-04:002014-09-10T09:06:43.102-04:00Story of an IT Pro: Volume 1 "The Beginning"So this may or may not turn into a series of posts. But just in case, let this be the first of that series. 15 years ago when I got into this business, I didn't really think I quite understood just how many different types of jobs existed out there in IT. I mean, sure, I knew about the help desk and repair jobs (which is where I started). I also new about the System Admins and Network/Tel-co groups. And of course there were the developers. At the time those were the folks I would curse out on a regular basis for their "crappy app that we were forced to use". One more note about my past, I was a late bloomer to computers. I didn't really get into them until college. Sure we had one in the house before the days of AOL, but mostly it was a glorified word processor with a couple of games. We would occasionally use a modem (14.4 kbps baby!) and connect up to the various Bulletin Boards to download the Jolly Roger Cookbook and learn to make all sorts of things; which today would get us on a Terrorist Watch List. <br />
<br />
I've always been decent at using tech and gadgets but never really thought of making it career. I wanted to do something that would allow me to work outside. Let's see in Kindergarten I was asked what I wanted to be when I grew up... <i>Raiders of the Lost Ark </i>had just come out and I was fascinated with the adventures of Indiana Jones. So naturally my answer was "Archaeologist!" (probably one of the hardest words I had to spell in Kindergarten). Of course after I learned that you don't get to carry around a bull whip, sport a cool leather satchel, and shoot evil swordsman in the head, I pretty much lost interest in that. Towards the end of high school I decided something in the environmental studies field would be fun, National Park ranger to be more specific. Unfortunately Chem 100 in college sent me off that path and into Business, most specifically Management Information Systems. <br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDNrQ1gkFmDoOQQVf9TlDL-QxM9PHmG3yDQQTjrVV_wgzlegSXdcfTkRgD1AszjxYFb2QG5nNbtdpBAQOV9R5sviYDFljpfDPmY9tfZYBFWpbeCsquEti73hSc2Qv3UTSPjrFOVmZGUIU/s1600/VAX_11-780_intero.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDNrQ1gkFmDoOQQVf9TlDL-QxM9PHmG3yDQQTjrVV_wgzlegSXdcfTkRgD1AszjxYFb2QG5nNbtdpBAQOV9R5sviYDFljpfDPmY9tfZYBFWpbeCsquEti73hSc2Qv3UTSPjrFOVmZGUIU/s1600/VAX_11-780_intero.jpg" height="320" width="240" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">VAX 11/780<br />
Courtesy of<br />
<a href="http://en.wikipedia.org/wiki/VAX">http://en.wikipedia.org/wiki/VAX</a></td></tr>
</tbody></table>
By then, though, I had already explored my way around the University <a href="http://en.wikipedia.org/wiki/VAX" target="_blank">VAX</a> system and I even took a job <br />
int he Information Systems Computer Repair department. Apparently I was a natural at this type of work. The initial job was for an installer, which consisted of bringing a computer to an office and plugging it all in. Configuration was either done before or after it was installed. Of course I had to at least make sure it powered up and could access the network. I did this job for about 2 weeks before I was promoted to a repair tech after discovering a network issue in one of the buildings and troubleshooting it down to a bad port in the network closet with the assistance from the Tel-co folks. After that I had a number of different challenges which got me noticed by the Systems office. I was promoted to a position with the guys who basically controlled the access to the network and all the systems that ran on it. The new boss continued to challenge me with a number of tasks from migrating the university staff from the VAX email to Microsoft Exchange 5.5, to creating a back-end database and query for user look-ups so people can verify who they were before resetting a forgotten password. By this time the only programming I had done was in the MIS Intro to Programming course. So this was certainly one of my toughest projects. I worked on that part and another MIS student created the front-end app the Computer lab used to let students change their passwords. I also re-purposed the app so the help desk could verify staff when they called in. In hindsight, I should have kept learning more about the developer side of IT back then, considering what I do now.<br />
<br />
Eventually I had to start prepping for the real world. Luckily I had a good amount of experience from working at the university. I was able to take a Co-operative education job doing Systems Admin work in a Novell/Windows environment (with a little bit of Lotus Notes thrown in for good measure), which then lead me back the education world managing the network and systems for a K-12 environment. So this is all leading somewhere, honest! Make a note of the comment I made about developers earlier in the story...<br />
<br />
Continue in <a href="http://braindrool.dewser.com/2014/09/story-of-it-pro-volume-2-choice.html">Volume 2 - "The Decision"</a>Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-34998952748625969782014-08-02T10:06:00.001-04:002014-08-02T10:06:19.510-04:00The Value of a Masters Degree in InfoSecI was up extra early this morning and decided to comb through the twitters. I came across a tweet from Troy Hunt asking our opinion for a comment made on one of his blog posts:
<br />
<blockquote class="twitter-tweet" lang="en">
Is it just me, or is this an odd question for someone doing their "masters in cyber security" to ask? <a href="http://t.co/r7FbR7H9t4">http://t.co/r7FbR7H9t4</a><br />
— Troy Hunt (@troyhunt) <a href="https://twitter.com/troyhunt/statuses/495380610878164994">August 2, 2014</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
So of course I had to see for my own eyes. I suggest you should to... right now, I'll wait... Done? Good, now this is the sort of thing that just makes me sad for the future of InfoSec. Do I think Master's degrees are good? Sure, any education is usually not bad. It makes us all a little more knowledgeable, and sparks new ideas. That is, of course, if we already have a bit of experience in our field of study. <br />
<br />
So most of us in the profession have probably obtained at least a BS in some Computer Science or Information Systems degree. We then worked to get an internship and eventually some job in our field of study. Somewhere down the line we learned a whole lot about how to break stuff as well as fix said broken stuff. And after many long nights of figuring out why MS Exchange decided to throw up all over the datacenter, we got good at our job. So good, we figured out how to prevent others from breaking our stuff. After years begging management to give us more budget, or recommending to customers to implement new security measures, we decided to move on (that is a story all its own). <br />
<br />
Somewhere in during our early careers, we decided to build our own home labs using spare parts or inexpensive E-bay hardware. We did this because, like most other important things, training wasn't in the budget. So we stood up our own Exchange servers or Web servers in order to prepare for inevitable migrations. Then we discovered other benefits of these labs. We could break things here and no one cares. So we did it on purpose and learned that we could make the computers and software due our bidding. Now, in the age of the breach, we are being paid pretty well to break stuff for a living. Hell those same managers and customers from before are now paying us double or triple our previous salaries, just to tell them the same things we told them 15 years ago. <br />
<br />
But there is a reason for that, we know what we are talking about. We have always worked to educate ourselves on our profession (and sometimes hobby). This means we studied on our own time, sometimes took training on our own dime, and kept up on the cyber crime (I couldn't resist). We take jobs to keep the mortgage/rent paid (my last job). And sometimes we get lucky and fall into something awesome (my current job) that allows us to possibly shape the future in our field. Do I get to do everything I want right now at work? No, but that is OK. I am working in technologies that I never thought I would 15 years ago. We adapt to the situations that we find ourselves in. That is what makes us good at our jobs.<br />
<br />
Now back to this guy asking about SQLi when going for a Masters in Cyber Security... So I was poking around at some local programs here in Connecticut. Sacred Heart University (SHU) has one such program. Besides the obvious requirement of a bachelor's degree, you need to have taken CS 504 Intro to Programming Using Scripting, and CS 505 or 339 Computer Networks. You can view the full outline <a href="http://www.sacredheart.edu/academics/collegeofartssciences/academicdepartments/computerscienceinformationtechnology/graduatedegreesandcertificates/ms-cybersecurity/" target="_blank">here</a>. Now granted those pre-reqs are not bad. CS 504 teaches you about Python, Perl, Ruby, etc... And CS 505 teaches you about networking, which is pretty valuable knowledge. Then you get thrown into things like digital forensics, Crypto, Securing the Cloud, Vulnerability Management... You have the link, you can look at the rest. My point is, by the time you decided to go for a Masters, hopefully you have been working a little in the related field. Information Technology, as well as Information Security, is not a profession you go into just for the paycheck. Granted it is a very nice bonus, but to succeed here, you need to keep sharp! If you are wondering what SQLi is all about? Go download one of the many vulnerable web app distros and find out! Go to <a href="http://www.securitytube.net/tags/sqli" target="_blank">Security Tube</a> and watch videos on the topic. There are a ton of resources out on the web that will help you to your goal. Google is the InfoSec Pro's best tool as well as some type of desktop virtualization platform like <a href="https://www.virtualbox.org/" target="_blank">VirtualBox</a> or <a href="https://my.vmware.com/web/vmware/free" target="_blank">VMware Player</a> (both free).<br />
<br />
So why does this irk me so much, well I feel that these programs will create a pool of very useless managers. They may know all the buzz words, but not have any real life experience with it. It takes years to build a solid base on just regular IT material. If you have never stood up your own mini-datacenter, or wrote an advanced web or desktop application, then you will never truly understand the topics in InfoSec. There are over 94000 holders of the CISSP in the world. Of those that I have met, only a very small fraction actually know, and have applied the controls covered in the certification. The rest got it because their company said they had to, and bought up all the seats in the class. Over the next few years we will probably see a similar growth spurt of newly decorated "Masters" of Cyber Security. If they are of the caliber seen in Troy's blob post, then I am just going to stop all this and become hermit. Or move somewhere tropical and spend my remaining days on the beach. <br />
<br />
Well that is enough ranting for a Saturday, need to get back to loading up the newest addition to the home lab and break stuff!Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-63368154958805697822014-06-27T11:08:00.000-04:002014-06-27T11:09:09.765-04:00The Cinnamon Snot BallSo here is a quickie as I stare at the BrainDrool time line and realize I have been slacking...<br />
<br />
I am an avid coffee lover. If you recall one of my first posts, I wrote about reducing your caloric intake with changes made to your morning coffee in my post simply titled "<a href="http://braindrool.dewser.com/2012/07/coffee.html" target="_blank">Coffee...</a>" I mentioned in the post that I enjoy adding cinnamon for both flavor and the health benefits. At that time I didn't think I would be searching the internet for "Snot ball in my coffee" but here I am now writing about it.<br />
<br />
So this is not new apparently. Some ladies did an experiment on the phenomenon a couple years ago, you can get all the details on the <a href="http://walkerszivak.blogspot.com/2010/10/cinnamon-snot-ball.html" target="_blank">blog post</a>. It's a pretty good experiment. So there I am one day, getting down to the last drop of my coffee. I take a nice big swig of it and suddenly my mouth is full of a big snot-like entity. Luckily I have a pretty strong tolerance for gross stuff which let me keep it contained until I can get to the sink. This was in part due to it not tasting bad. My first thought was that the milk was bad and caused this beast to grow in my coffee. I unleashed it into the sink and it was not pretty. A slimy mess of cinnamon and remnants of coffee made its way to the drain. After verifying the milk was good, I decided to avoid cinnamon for the next couple days. And my suspicions were correct, no snot monster in my coffee. After some searching on the internet, I found that this may occur with cinnamon. It doesn't appear to be harmful and the less cinnamon used, the smaller the blob. Different brands may also produce different results. Some suggest to brew the coffee with cinnamon mixed in the grounds, unfortunately that isn't easily done with k-cups. I suppose you can use the reusable cups that you use with your own coffee, but those are terrible. <br />
<br />
So the next time you throw cinnamon in your coffee, just be aware that you may be greeted with an unpleasant surprise. It won't kill you but it may cause you to hurl if you have a weak stomach!Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-81848936253593792632014-04-30T21:25:00.000-04:002014-04-30T21:25:58.518-04:00Keeping Your Hyper-V Environment PatchedIn the last post I covered a brief overview of Hyper-V vs ESXi. Today I will share with you my experiences in keeping this environment patched. Hold onto your seats, this is going to be a wild ride...<br />
<br />
So before I go further, I would like to send you over to the following blog - <a href="http://windowsitpro.com/hyper-v/easily-maintain-hyper-v-template-image" target="_blank">http://windowsitpro.com/hyper-v/easily-maintain-hyper-v-template-image</a>. John Savill writes up the process pretty well. His example hints at just doing this in Hyper-V and excludes mention of SCVMM. This isn't too far off though since, even with SCVMM, performing certain tasks on either the Hyper-V host or the Hyper-V manager app is still much easier than trying to do it in SCVMM. Also I found that even with the Hyper-V Management feature installed on SCVMM, the powershell modules still don't work correctly. At Step 6, make sure you choose the Generalize option for SYSPREP. This will make it so the image can be used by SCVMM during the Create Virtual Machine from template. Otherwise you will get a big ol' error during a build. Step 8 I ran from the Hyper-V host as it was just easier to keep everything local. Once the export completed, I copied the file over to the SCVMM Library server directory so it can be connected to the Template Image. Once that is all set, you should be good to go for building more updated VMs. It would be best to incorporate this into your patch management process and perform this on a monthly basis. I'm sure if you are smarter than I, you can automate much of this process. I am also sure this is documented somewhere in some Technet blog but probably requires that you are using System Center for patching rather than WSUS. <br />
<br />
The next post I will have up some steps to easily deploy a VM from template through a script... Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-39409898012770286622014-04-30T12:55:00.000-04:002014-04-30T12:55:34.195-04:00Hyper-V and SCVMM not quite ESXi and vCenter I am a huge fan of virtualization technologies. I started my days in NT 4.0 and when Virtual PC was released I jumped at the ability to run multiple operating systems without needing to dual boot. Years later I was able to experience VMware's virtualization platforms. It wasn't just booting multiple systems is was streamlining the patching process, moving systems to other physical resources without batting an eye, and even moving them across datacenters to take advantage of off-peak utility rates. Virtualization has allowed companies such as Amazon, Netflix, and Google to grow into what they are today. And it has allowed much smaller companies the ability to run enterprise class environments without having to take up real estate in their small server room. 2-3 physical servers could be 20+ virtual servers.<br />
<br />
This may or may not be a series of posts related to virtualization, we will see. But for now it will be some nifty tips and tricks to help you get through using Hyper-V and SCVMM. For those who don't know, Hyper-V is the evolution of Microsoft's Virtual PC/Server. It is the hypervisor which is currently in use in their data centers and online service platforms. From a small business or startup's perspective, it is a very inexpensive way to build your new server infrastructure since Microsoft has a few licensing programs that cater to the small budgets of these types of businesses. So naturally it makes sense to utilize Hyper-V over VMware's ESXi.<br />
<br />
"But isn't ESXi free?" Glad you asked, yes it is and so is Hyper-V. Earlier this year Microsoft released Hyper-V Server 2012 R2. This is their free version of Windows Server 2012 w/ Hyper-V. Provided you have proper licensing, you can install your Windows VMs on this with no additional cost. There are some hardware limitations but I won't get into that at the moment. But this is only for their standalone products. Managing those systems is a different story.<br />
<br />
Here is where the expense comes in (aside from the hardware costs)... You can install as many virtual machines as your physical host(s) can support. But to manage all these hosts and support a proper virtual infrastructure, you need the management server. In VMware's case, this is vCenter. In the Hyper-V world it is Microsoft System Center Virtual Machine Manager (SCVMM). I may cover what one has to go through to get this thing running in another post later on. It was a bit more difficult than getting vCenter running. The requirements are not all that different, but the implementation is a bit more time consuming. For example, it is recommended that a separate SQL Database Server be used for storing the Hyper-V information. You can use the same server, but SCVMM will not install SQL for you.<br />
<br />
So to wrap this bit up... If you are a budding business and need to keep your costs low, going the Microsoft route may save you some money with their small business and startup programs. There is nothing wrong with that. If you find you like using Hyper-V, moving it to a more enterprise class environment would not be too difficult. If you grow to where you can afford VMware, then migrating from Hyper-V should not be too difficult. You would just convert them using the VMware vSphere converter and do them as physical machines. Sadly going VMware to Hyper-V is not as easy. You would need to stand up SCVMM first and incorporate your vCenter server in the mix. Then you would need to use the MS converter which may or may not work. I've seen mixed success with it.<br />
<br />
In the next post I will cover some tricks about keeping your Hyper-V templates updated...Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-27810461766496620452014-01-21T17:55:00.002-05:002014-01-21T17:56:36.780-05:00So you got a new computer, what's with all these tiles!?!?<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYzBrZMXrLrDaUL7EjQaFm0J_m4PM4dHOtPCi1PSh5wjkMH3iiaN6cM48ldeZErRGALAaQWnTI7QbFI9jvpHNDV09z9I715QR1NvR3uUnFNuQP5HKF2qIlB2GrnnacK_t4iyAG5k4DN_Y/s1600/win8tiles.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYzBrZMXrLrDaUL7EjQaFm0J_m4PM4dHOtPCi1PSh5wjkMH3iiaN6cM48ldeZErRGALAaQWnTI7QbFI9jvpHNDV09z9I715QR1NvR3uUnFNuQP5HKF2qIlB2GrnnacK_t4iyAG5k4DN_Y/s1600/win8tiles.jpg" height="195" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Default new user "Metro" screen for Windows 8.1 </td></tr>
</tbody></table>
As the expiration of support for XP looms, many people out there are getting new computers, laptops, and even tablets. If you have been an avid user of XP or Windows 7, then getting that first Windows 8 system is going to be a bit of a shock. As you can see from the left, that is essentially your "Start Menu." It is loaded up with all sorts of apps right? So most of those tikes are actually just internet feed apps. The tile screen was really designed for touch enabled devices. My first recommendation for someone asking about a new computer, is to get one with a touch enabled screen. This will make your Windows 8 experience a much more positive one. The next thing you can do is clean up the tiles. Right clicking a tile will cause a selection mode to come up. You can right click on each tile you would like to "unpin" and select "Unpin from Start." <br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitVPx8y9-hRMV47n9bUBEFkJ04rHzxe-PR-StIfJdqhr5zuDLuxUi1IA-ihFLMan9TPMW1mmtulP8qNQby6LgsErV4_30pJxEo7pVRKF6CDQSnjLT3A0opdlLqz0FWMsa3syUPM8OysVM/s1600/win8tiles_unpin.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitVPx8y9-hRMV47n9bUBEFkJ04rHzxe-PR-StIfJdqhr5zuDLuxUi1IA-ihFLMan9TPMW1mmtulP8qNQby6LgsErV4_30pJxEo7pVRKF6CDQSnjLT3A0opdlLqz0FWMsa3syUPM8OysVM/s1600/win8tiles_unpin.jpg" height="182" width="320" /></a><br />
<br />
The next thing you will want to do is upgrade (if it didn't come installed) to Windows 8.1. This a free update from Microsoft through their app store (yes they have one too now). They have a nice step-by-step tutorial <a href="http://windows.microsoft.com/en-us/windows-8/update-from-windows-8-tutorial" target="_blank">here</a>. This will add some more familiar functionality to the Tile screen and the Desktop. For example to access applications like the Control Panel, Paint, or Notepad, you can now click on the arrow at the lower left corner of the Tile screen. From here you can right click any of the list applications and add them to both the task bar on the desktop screen or as a Tile on the Tile screen. The other navigation issue is the implementation of hot edges. I would say corners, but in most cases hovering the mouse cursor over any of the edges on the tile screen and desktop may produce an option to switch from that current screen. Most new systems will run you through a quick tutorial with instructions on what to do near each of these hot edges. If you are purchasing from a store, I would recommend having the sales person walk you through the changes in Windows 8 from the earlier Windows versions.<br />
<br />
Now why did I recommend getting something with a touch enabled screen? Well besides the fact that the the "LabTab" or "TabTop" (or whatever you want to call it) is making a come back, Windows 8 is designed for this type of device. It is meant to be interacted with through a touch screen using your hands. Swiping and scrolling works much smoother this way. My wife just recently picked up a Surface Pro, so I was able to play a bit more with the touch features. It is a bit different using your hands and the stylus than the mouse. Right clicking changes to a click-and-hold method. So you click on an icon, selection, or whatever, hold until you see the circle appear, then let go. You will then see the context menu. If you have a jittery hand, this can get pretty frustrating and you might switch to dragging icons and tiles all over the place, rather than pulling up the context menu. The normal navigation around the tablet environment still feels much more natural using your hands as opposed to the mouse. Another cool feature that is present due to the stylus being added is the handwriting-to-text. If the new interface is still a bit confusing, then check out their "Help + Tips" app for some visual instructions. <br />
<br />
All-in-all it is not a terrible operating system. From a security standpoint it adds a number of improvements that were not native to Windows 7 and almost non-existent in Windows XP. The Surface has some nice features as well. The Stylus is pretty useful, it can also attach on the magsafe power connector (when you are not charging the device). It has a full size USB port and Micro SD slot. These come in handy for attaching additional storage. It also has an external mini-display port in case you want to connect it up too a secondary display. The only major drawback to the Surface Pro is the limited hard drive size (128GB). It seems like a lot, but if you are switching from a more full size laptop with a 500GB+ drive, then you may have some issues moving some of your larger files over. <br />
<br />
So there you have it, Windows 8 in a nutshell, you even got a bonus mini Surface Pro review. As always feel free to leave any comments or questions. Change does suck at times but a little patience and a lot of googling, can help you through the transition. It also helps if you are married to or dating an IT guy/gal. <br />
<br />Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-10453112414313743992014-01-15T09:53:00.000-05:002014-01-17T08:41:22.266-05:00Supporting the Unsupported<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuPmV6cw1M3iRjp_T5eWysPc_OOyDzpo7uvvq1G148dwMRzjXErlNSCQgqO1huFzIghq5mAf_sNmVxFCzd7_efaJn68v0rfET4pHpCHmMICPHqVyNT45hTFCOrdwnNNlLCXC-m1ptgBNc/s1600/CountdownClockXP.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuPmV6cw1M3iRjp_T5eWysPc_OOyDzpo7uvvq1G148dwMRzjXErlNSCQgqO1huFzIghq5mAf_sNmVxFCzd7_efaJn68v0rfET4pHpCHmMICPHqVyNT45hTFCOrdwnNNlLCXC-m1ptgBNc/s1600/CountdownClockXP.jpg" height="242" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">http://countingdownto.com/countdown/143839</td></tr>
</tbody></table>
So the day is coming closer and closer when Microsoft will finally hit the delete button on support for Windows XP and Office 2003. This means no more updates of any kind. They are also ending support for Microsoft Security Essentials on XP. That is Microsoft's free consumer Anti-Virus product. So what does this mean?<br />
<br />
For the home user, there is a pretty simple solution. If you are still using a computer that is running Windows XP, then it is probably about time to get a new computer. XP was released to computer manufacturers on August 24, 2001. Microsoft continued supplying it to system builders through 2009. So chances are you own a computer that could be anywhere from 4-12 years old. So high time to upgrade wouldn't you say? Since I am the only IT guy in my family I get all the questions about why a computer is slow or why something isn't working. If the system is 5 yrs old or greater I will recommend they just get a new system. Certain things can probably be easily replaced but it will only be a matter of time before the next thing goes. Eventually the motherboard is next. Once that goes, you are pretty much getting a new system. So if you are a home user and still have XP, you may want to update your budget for a new computer in the coming months. While you are at it, you may also want to make sure you have been backing up your data and that it can easily be restored to a new system. Unfortunately transitioning off XP to Windows 8 will be a bit of a shock, but it can be done. I will cover that in another post soon.<br />
<br />
For a business, it is a different story. Many larger enterprises have been working on transitioning off XP for the last couple years. At this time if you haven't been planning this transition, then you will need to consider some things when April hits. You will need to determine how many systems are still going to be living on your network at that time and the risks associated with that. No more security updates means that there is a very good possibility that we will see a huge increase in the number of 0-days released for XP and Office 2003. So if you still have a need for these products on your network, you may want to consider isolating them off from your critical systems. You will also need to make sure your security vendors will continue to support them until you can have them decommissioned. If you can't isolate the physical systems, consider migrating them to Virtual systems that run in a more isolated fashion. For example, if you have specific users such as Engineers who need legacy software support, consider getting them newer Windows 7/8 systems. Install a virtualization platform and do a physical-to-virtual migration (P2V) of that legacy XP system. Change the networking to NAT or Host Only, and test to ensure that their software still functions. Chances are that if you haven't moved off XP then you probably don't have some of the more advanced security infrastructure in place such as Network Access Control (NAC). A NAC system can assist in identifying and isolating unsupported systems. The cost to implement some of these more advanced security measures may easily far exceed that of migrating off Windows XP. So there is that to keep in mind. The longer a company waits to do this, the higher that cost will be. <br />
<br />
This is not a new announcement, Microsoft has been trying to end support for XP over the last 5 years. It was the big enterprise customers that forced them to keep it alive. Their main reason was that much of their legacy software was not supported on Windows 7 and/or the cost to migrate was to high. As we like to say in consulting, "Pay me now or Pay more later." We make recommendations not to fill our pockets, but to ensure that your environment operates at an optimal level to support your business. If for some reason you did not take our advice at the time it was given, then there is a good chance you will need us to perform an emergency rush implementation of that earlier recommendation. The increase in cost comes usually with premium rates being used, increased shipping costs for rush hardware, as well as possible additional product support from the vendors. <br />
<br />
So you have 82 days left to either finish your Windows 7/8 migrations and test all your software. Or use that time to try and isolate those systems until they can be replaced at a later date. Either way you have some work ahead of you so I suggest you get started.<br />
<br />
UPDATE: On Wednesday (1/15/13) Microsoft announced they will extend support for their Anti-Virus products until July 2015. Now keep this in mind, that does not mean that XP is safe, this is will just plug just one hole in an already swiss cheesed dam. It is not a difficult thing to bypass anti-virus products on vulnerable systems. If you are not able to migrate off XP this year then you may want to consider a couple additional options such as implementing an Application Whitelist solution such as <a href="https://www.bit9.com/solutions/security-platform/" target="_blank">Bit9's Security Platform</a> and/or deploying <a href="http://support.microsoft.com/kb/2458544" target="_blank">Microsoft's Enhanced Mitigation Experience Toolkit (EMET)</a>. Another revelation that was mentioned over the last couple days has been the fact that many ATMs are known to use Windows XP Embedded. Now the banking regulations require that these devices are not on the internet, but that doesn't make them automatically safe. There have been a number of stories where thieves were able to get physical access to the system in order to load malware or a secondary operating system via USB. Again this required physical access to the ATM. Other critical hardware that relies on XP Embedded include a number of medical devices and SCADA systems. <br />
<br />Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-42033818824546982502013-09-18T06:30:00.000-04:002013-09-24T10:37:52.053-04:00Hello little NAS why are you trying to talk to Russia?In a recent post I talked about <a href="http://braindrool.dewser.com/2013/09/securing-your-home-network.html" target="_blank">securing your home network</a>, so of course I want to make sure I practice what I preach. My main server recently suffered some hardware failure, there was nothing critical on it so I am in no hurry to get it back up and running. I took the opportunity to find something more dedicated to run the file sharing on the network so I picked up a QNAP TS series device. I figured yeah, this should do what I need. Well I didn't realize that was able to replace most of the services that my bulky Dell server was hosting. After getting it up and running I found it to have a slew of useful services like VPN, media server (DLNA) services, and of course file storage/sharing. So I got the thing running, connected up the big USB HDD and restored all the shared paths and such. Eventually I got the VPN working and made sure managing it was only done through SSL. <br />
<br />
So I had it going for a couple weeks without any issues, until the morning I decided to check out my network traffic. I saw some odd stuff in my firewall logs that didn't make sense, and they were coming from the QNAP system. It started because I saw a good deal of inbound UDP traffic being blocked. UDP is basically TCP's bastard cousin. It is not typical for legitimate internet services to use UDP. So I checked out some IP addresses and they were coming from the usual oversees locations. No big thing, most likely internet scanning on UDP to see if anyone's firewall will allow it through. So I continue through the log and notice outbound UDP traffic. I panic a little and then notice it is going out over 6881. Now my lovely firewall allows me to do an on-demand packet capture, which is handy as it sits between my LAN and Internet, so it can see everything. So I ran the capture and then filtered the results in Wireshark:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTGIlq8Fs1r0tCNAdHWjOBeNyxLw-EzM4Z1Dsi36Gldk6gydaiKf1W291ErkROlPzUpmKPrzKHyeAyMzvT5xStZWMvEkmZbh6MvdDgeANpCmdvV6mVKtAeI3t7nObes9eaxic85IxB_2o/s1600/packet_cap_sample_NAS.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTGIlq8Fs1r0tCNAdHWjOBeNyxLw-EzM4Z1Dsi36Gldk6gydaiKf1W291ErkROlPzUpmKPrzKHyeAyMzvT5xStZWMvEkmZbh6MvdDgeANpCmdvV6mVKtAeI3t7nObes9eaxic85IxB_2o/s320/packet_cap_sample_NAS.jpg" height="102" width="320" /></a></div>
Notice the many different non-US destinations? Yeah that didn't sit right with me. Did some digging as I have not memorized all my TCP/UDP port numbers and found that this is typical of BitTorrent listeners. I did some additional searching and found that the QNAP has a Download Manager service that comes turned on by default. This download manager runs like a Torrent listener so this is beacon traffic to the torrent network. I took a look at some of the packets and found it to be random garbage, nothing malicious. But still, that is traffic I don't want going out without my permission, least of all to overseas locations. I made some changes on the firewall that would automatically block traffic based on country of origin and found a nifty forum post about disabling the feature and hardening the device further.<br />
<br />
<ul>
<li>Disable Download Station - unless you can find a good use for it. This can be done from "My Apps." Just slide the bar to the left.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5PBdUWTmMWJBFuB8jyVLe0aNzH3q-_FOkwcFYyhK6UyJVu2sTui96vxaByCfY4DET-v87AznG38SExrl2iWkisvxlLes_FD1ydQjgHXYFSqP6wfCncdHTLjI_jPar69MH1lZc7-J1Yc8/s1600/Turn_Off_Download_Station.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5PBdUWTmMWJBFuB8jyVLe0aNzH3q-_FOkwcFYyhK6UyJVu2sTui96vxaByCfY4DET-v87AznG38SExrl2iWkisvxlLes_FD1ydQjgHXYFSqP6wfCncdHTLjI_jPar69MH1lZc7-J1Yc8/s320/Turn_Off_Download_Station.jpg" height="104" width="320" /></a></div>
<ul>
<li>Now we need some clean-up. We will need to make sure only authorized networks can access the QNAP. Go to the Security Settings in the QNAP control panel.</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhszB7mCEIAcj7RW16mKSoLv8oT4H6dJZZvj1ImjBKSle6DC8w1QKnJe-jZENoZvUOPI-5wD-Ui-S4DVnAmwpjL3SW1inAaNbyfKpzgkbAWga_domlgFHrKHQkzeHTPGCHZtr7sxoqNiCA/s1600/QNAP_Security_Settings.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhszB7mCEIAcj7RW16mKSoLv8oT4H6dJZZvj1ImjBKSle6DC8w1QKnJe-jZENoZvUOPI-5wD-Ui-S4DVnAmwpjL3SW1inAaNbyfKpzgkbAWga_domlgFHrKHQkzeHTPGCHZtr7sxoqNiCA/s320/QNAP_Security_Settings.jpg" height="236" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrklhwAsGou1TYNF83z8w5KIBcoCBMu7PB599lrfVcnXW9N3hcki1bUkemwFhdIjJButkP18E8xYhGGZ9SdfulGEmLLZ5uWDtPGu9DgMuxdJ-w_qUMy4RChFHLpMm4h9zt_LoLXomIZIs/s1600/QNAP_Security_Settings_Network.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjrklhwAsGou1TYNF83z8w5KIBcoCBMu7PB599lrfVcnXW9N3hcki1bUkemwFhdIjJButkP18E8xYhGGZ9SdfulGEmLLZ5uWDtPGu9DgMuxdJ-w_qUMy4RChFHLpMm4h9zt_LoLXomIZIs/s320/QNAP_Security_Settings_Network.jpg" height="174" width="320" /></a></div>
<ul>
<li>In the Security Settings, you will want to select "Allow connections from the list only." Then add the internal IP address/ranges you wish to allow to access the device. This is handy if you happen to have a guest wireless network that may touch your main network. Again who would have that, it is just silly. Refer to the image below, IP addresses are obfuscated, but those would change based on the network anyway. I did have to add my VPN IP Pool in as it is different from the internal LAN.</li>
</ul>
<div>
So that is it, piece of cake! Once you make the changes it will restart the network services, so you may lose access to the shares for a minute or 2. After I made those changes the traffic pretty much stopped. I am still getting a bunch of inbound UDP getting blocked but that should decline as well. Anyway hope this is helpful to some folks. The device is pretty useful but again, don't always trust the default settings or apps. Take the time to understand what you plugged into your network! Any questions feel free to leave a comment below!</div>
<br />
***UPDATE***<br />
So quick update on the network security... as I sit here waiting for my plane to Louisville for DerbyCon 2013, I decided to test my VPN to the home office. It wouldn't connect, so through other magical means I remoted in a different way to check the systems. Firewall check! It was passing traffic nicely. So logged into the QNAP where the service is hosted and immediately saw the warning indicator for unauthorized network attempting to connect on my VPN port. Nifty, that made fixing the issue pretty easy. Made the necessary changes and all is working now. So if you lock your QNAP down and use the VPN service, you may need to open some ranges or just not use the block networks piece. The VPN is only temporary until I can bring up a new full time server.<br />
<br />
<br />Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com2tag:blogger.com,1999:blog-1855995597601273298.post-73409333373447275082013-09-15T15:39:00.002-04:002013-09-15T15:40:22.068-04:00Securing Your Home NetworkEvery now and again I try to take some time out of my weekend mornings to take a look at my network traffic. I should certainly do it more often or enable some form of weekly report to be sent to me, maybe that will be a winter project this year. In any event, with all the new tech we add to our home networks every year, it makes more sense to know just what exactly is going on in the network. Big enterprises have numerous tools (not so much personnel) to monitor both outbound/inbound traffic, unfortunately the typical home user does not. In fact many believe that if they slap in their Linksys/Netgear home router, they are good to go and everything will behave. But with stories such as the <a href="http://www.huffingtonpost.com/2013/08/13/hacked-baby-monitor-houston-texas-parents_n_3750675.html" target="_blank">"hacked" baby monitor in Texas</a>, we know this is not true. Just some corrections to that story, it wasn't an actual baby monitor, you know the two way radio sort of monitors. It was a Foscam IP Video Camera, most likely of the wireless sort. It sounded like the father took the appropriate steps in configuring it, but again, just doing what the manual tells you to, does not make it securely configured. <br />
<div>
<br /></div>
<div>
But I digress, the point of today's post is to help educate my not so tech savvy readers and make them aware that many of these consumer brand companies really don't put too much effort in securing their product. They have some basics covered like changing the default password or enabling secure wireless, but something such as allowing access to the device over the internet, well that opens a door and invites trouble into your network. Researchers and the bad guys are constantly scanning the internet for open ports to determine services that might be running on those ports. You have your typical ones such as web based TCP 80 (http) and 443 (https), as well as email (SMTP/TCP25), FTP (TCP21), and SSH/SFTP (TCP22). There are also standard services running on non standard ports; for example, http running TCP 8080. This is typically done to either obscure a web server from the untrained script kiddie or run more than one web server from a single host. In my case it would be to get web traffic through my cable companies routing rules, as residential internet typically filters popular traffic such as SMTP and HTTP on standard ports. We can go into details another time on that. With tools such as Shodan (<a href="http://braindrool.dewser.com/2012/08/basic-security-and-you-and-your-friends.html" target="_blank">See previous post</a>) being used much more frequently and internet scanning software becoming more efficient (<a href="http://blog.erratasec.com/2013/09/masscan-entire-internet-in-3-minutes.html#.UjX6RcasjZk" target="_blank">Check out the post from Robert Graham</a>), it is getting much easier to find out what is running on people's networks.</div>
<div>
<br /></div>
<div>
So what does all this mean? Well as consumers we need to start getting smart about what we are connecting to our home networks. In the past the average home probably had 1-2 computers and possibly both wired and wireless networking. Now a majority of homes have any number of smart phones, tablets, game consoles, laptops, and (maybe) a desktop all connected up. They may also include network printers, Smart TVs, Smart Blu-ray players, and other media devices such as Apple TV or Roku. All of these are now nodes on your home network and they all require internet access to function. </div>
<div>
<br /></div>
<div>
Now of course we have all created a network diagram that we keep handy for reference... right?? Anyone? Anyone besides the crickets? OK I'm joking, only folks like myself who do this for a living will probably go the extra length and document the home network. At least I can rest easy knowing that if I am ever hit by a truck, my wife will know what device to unplug to reset the cable modem. I only partially joke about this, but it is not a bad idea to know what is connected to your home network, just draw it out on paper or make a simple list. You don't need to make high end enterprise architecture diagrams, I mean that would be silly! The first part to securing something is knowing what it consists of. You know how many doors and windows you have in your home right? Well think of your network in a similar way. The less devices you expose to the internet, the better. Exposed meaning you allow inbound access to them. If you absolutely must have access to something while you are away from your home, then look into setting up a VPN. It is not all that hard and there are a number of both hosted and local solutions out there. I will be doing a write up on one such device coming up. The VPN allows you to make a secure connection to your home network from outside. The tunnel is encrypted so it is difficult to play a man-in-the-middle on. Is it full proof? absolutely not, but it is another layer to make it so the novice cannot get in. In security we like to say, if someone wants something bad enough, they will get it, it is just a matter of time. You best defense is to make it as hard as possible for them to do it. Think about it this way, putting frosted glass on windows, using thick curtains, and even placing warning signs on your property for dogs or an alarm system. Granted these may throw up flags that you have valuable stuff, but it will keep the curious passer-bys from snooping around. A determined criminal may risk it and smash in a window still but he may not be willing to tangle with a big dog. </div>
<div>
<br /></div>
<div>
So this one went on log enough, I will end with this... don't assume the product manufacturers have your back, they want to make money and adding extra steps to secure something may take from their bottom line. So go out and do some research on that next new gadget you want to add. Know that you may need to do some extra work to harden it! If you ever want more education on the matter, swing by your local Hackerspace, there are always folks willing to educate people on these sorts of things. If you are local to CT, you can come by <a href="http://nesit.org/">nesit.org</a>. We are usually around in the evenings during the week and random times on the weekends. The weekly schedule is posted on Sundays.</div>
Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-1735665363293680612013-09-03T21:39:00.002-04:002013-09-15T13:17:55.090-04:00Edumacation and Training: Who's responsible? You or your employer?If you consciously decide to take a career in information technology, then you should have realized that school and training doesn't stop after you receive your degree. The same goes for you if you decide to move into an information security position. This realm is constantly evolving and you need to be willing to evolve with it, or find a new career. <br />
<br />
<b>Your goals may not align with your employer's...</b><br />
<b><br /></b>
If you are lucky enough to land a job with a company that will pay for training, then take advantage of it. Just be ready to accept that what they are willing to train you on may not be in line with your personal career goals. For example, if you work for a consulting company, they may want you certified with their primary vendors' products. If it is a Microsoft Gold partner shop, then they need to maintain a certain number of MCSE/MCSA certified individuals to keep that partnership. If you sell Cisco or Juniper products, the company may need those certificates as well. They may not want to send you to SANS or Blackhat for training on the latest security topics. Unless, of course, they are a security consulting company and they would rather your pen testing skills be honed. If you are in a large enterprise, the training may be more open, as long as it fits in with your development plan, then it can be justified. In any event take whatever training you can get, it will never be wasted and you might learn something interesting.<br />
<br />
<b>It may not be in the budget....</b><br />
<b><br /></b>
Be ready to hear that if you want an employer to pick up the bill for a conference. Although it may benefit them that you receive some cutting edge knowledge, they may prefer you attend online webinars or local events, rather than sending you to San Francisco for <a href="http://www.rsaconference.com/" target="_blank">RSA</a> or Vegas for <a href="http://www.defcon.org/" target="_blank">DEFCON</a> and <a href="http://www.blackhat.com/" target="_blank">Blackhat</a>. If that is the case, don't be afraid to spend some of your own cash and use your personal time to hit up some of the smaller cons like <a href="http://www.derbycon.com/" target="_blank">DerbyCon</a> (Louisville), <a href="https://www.shmoocon.org/" target="_blank">ShmooCon</a> (Washington D.C.), <a href="http://thotcon.org/" target="_blank">Thotcon</a> (Chicago), and of course any of the many <a href="http://www.securitybsides.com/w/page/12194156/FrontPage" target="_blank">Security BSides</a> events happening all over the world. Most of these are pretty affordable, and all you need to do is come up with the means to get there. If you can't afford a room, there is usually someone willing to split one. <br />
<br />
<b>Don't pass up excellent networking opportunities...</b><br />
<b><br /></b>
Back to the topic of the conferences, not only do you get exposed to some excellent talks, but these are also great opportunities to meet some interesting people. Again, your goals may not align with your company's, but that doesn't mean you should ignore them. Invest in yourself a little and get out to these cons. Who knows, you might have a conversation with someone who may want you to come out the next year and speak at the con. If it is a vendor, they may even pay for it. Also, when at the conference, don't worry about getting to every talk on the schedule. Take the time to participate in the "HallwayCon", grab coffee with some attendees, and don't be afraid to join a public dinner invite. You never know who you will meet out there, they could lead you to the next stage of your career. <br />
<br />
<b>"I'm going as long as work approves..."</b><br />
<b><br /></b>
So something along those lines was said to me when talking about a BSides event that was in the next state. They person was hoping work would pay for the single night at the hotel. Since BSides are relatively cheap, and usually in driving distance, I will cough up the 100-200 bucks for a single night at the hotel. Again, back to the networking opportunities and the education factor of these events, it is worth spending some of your own cash for it. In some cases, you can claim these trips as a business expense, but check with your tax guy first. <br />
<br />
<b>Anyhoo....</b><br />
<br />
Ultimately you are responsible for your own training and education. If you want to succeed in your career, you will make it happen. Whether you get work to pay for it, or not, you should still do it. If work wants to get you trained on something not necessarily related to your goals, take it! It is knowledge you did not have before. So good luck out there and keep up the learning! Maybe we will bump into each other at the next HallwayCon. Otherwise see you at DerbyCon 2013 in Louisville this year!Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-28290352625547524902013-05-25T08:38:00.002-04:002013-05-25T08:38:47.449-04:00Communicating with Execs on InfoSecAs I sit here, drink my coffee, and worry about the troubles of the world, I came across this <a href="http://www.darkreading.com/management/security-pros-fail-in-business-lingo/240155523" target="_blank">DarkReading post on Security Pros failing in Business Lingo</a>. It is an interesting read but nothing ground breaking. The argument has been around for a while now that much of senior management rarely has any idea of what we are talking about. We are finally seeing more of us making their way to that table. Those that do are usually well versed in the business speak. I would agree that all Security pros should be familiar with out to explain why technical vulnerabilities affect business. In smaller shops you may not have that C-level representation so you would need to double has the highly skilled security engineer and the CISO/CSO. But in the larger environments, there really needs to be some tiers in place. Your skilled staff should worry about the job/mission while their management can translate their activities/needs to the execs.<br />
<br />
An engineer is an engineer regardless if they are building a new jet propulsion system or developing a new architecture to store that system's critical data. People like your incident responders, security architects, penetration testers and such are (hopefully) highly skilled individuals who know their craft inside and out. They spend their days learning about the newest attack methods and how to detect/defend against them. They are engineers and scientists of the IT world. They are not that different from your network/systems engineers who build the infrastructure. I'm not saying they can't be bothered with talking to execs, but they really shouldn't be focusing on that. They should be able to provide data to their management so they can communicate it up the chain. Let them do what they are good at and everyone will be happy. At times though, the engineers may need to step up and speak directly to management. At that point, the security execs/managers should be supportive and help get the right "Lingo" into that presentation. <br />
<br />
As a consultant, it is a different story. You need to be able to play both sides as you are typically selling your service to non-technical people. You need to understand what keeps them up at night and address that. If you cater to SMBs, you will most likely be talking to the President/CEO of the company. They will most likely not know about things like "Firewalls" or "SQL Injection" and what types of risk they pose to their company. So things like "getting shell on your webserver" will need to be explained in different terms; for example, "Your web server that hosts <insert app name here> is vulnerable to a number of attacks that will lead to a compromise of your customers data. This data can then be downloaded and used to carry out a number of computer fraud crimes. Since this data contains SSNs and other Personally Identifiable Information, you can be held accountable and possibly fined a significant amount by the federal government." Make sure you include numbers on the possible fines because in some cases, if the business is small enough, that one fine can end them. I would site similar numbers if I found a prospect that was out of compliance with Microsoft licenses. That was something like $100K per incident. Tell that to a company who doesn't want to "waste" money on a $1500 license pack and they change their tune. <br />
<br />
So I guess to wrap this up... This is going to be ever-present as you will always need highly skilled individuals who know how to figure out the problems and fix them. The types that you throw a rubik's cube in front of and they will relentlessly work it until they achieve their goal. You will have the researchers who continually take a part hardware/software to see how it ticks. These guys are the scientists of technology and they need to spend their days doing this type of work. Eventually one will rise out of the lab, that person will realize they are better fit to help the cause from a managerial post. They will work to attain the skills to better work with the executives, but will retain the knowledge to continue communicating with the engineers and architects.<br />
<br />
As always feel free to leave your comments, do you agree or disagree?Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-64063033018386638332013-04-22T20:59:00.003-04:002014-05-01T15:23:37.593-04:00Quick fun code with PowershellSo one of my areas of improvement this year is in my coding ability. Just finished the Python course from <a href="http://codecademy.com/">Codecademy.com</a> (I highly recommend checking them out), but I also enjoy Powershell, as I primarily work on Microsoft systems. I follow the MS Scripting Guy's blog - <a href="http://blogs.technet.com/b/heyscriptingguy">http://blogs.technet.com/b/heyscriptingguy</a>, he always has some great material to check out and try. Right now is the start of the 2013 Scripting Games so to honor it, he posted a great tip for pulling down the latest blog posts for the games. You can check out the code here: <a href="http://blogs.technet.com/b/heyscriptingguy/archive/2013/04/22/powertip-use-powershell-to-keep-up-to-date-with-the-2013-scripting-games.aspx" target="_blank">Use PowerShell to Keep Up-to-Date with the 2013 Scripting Games</a>. <br />
<br />
So the initial code is pretty simple. When you run the script it will dump to your Powershell console. But what if I don't want to review it just yet and save it for later? I could dump the results to a file with a number of methods, but I really want to make sure I check it out. So why not generate a web page with the results? That would be perfect!! Powershell has a number of ConverTo-X commands, they happen to have one for ConvertTo-HTML. Here is the modified code:<br />
<br />
<span style="font-family: Courier New, Courier, monospace;">Invoke-RestMethod -Uri $sg2013 | select title, pubdate, link |</span><br />
<span style="font-family: Courier New, Courier, monospace;">ConvertTo-Html | Out-File E:\Code\Powershell\rss_reader.html</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<span style="font-family: inherit;">Notice I also added the link to the select statement. The last half of the code sends the information to the designated out-file. But I am not fond of the results.</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI5bqqxr9Ne_y6ZM3fL5Oxh_AhXyU0ghqxz0E69ZgtTOBU8vEjQmw8Q2etUpMgTR8tv9OcZJdXPiD3j45WRmAekGwylwa9qhLNrPUGXiHhwFUs_W0-REGt6bd-TXfPXkcDF2QVbGNOW9M/s1600/plain_rssfeed_reader.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjI5bqqxr9Ne_y6ZM3fL5Oxh_AhXyU0ghqxz0E69ZgtTOBU8vEjQmw8Q2etUpMgTR8tv9OcZJdXPiD3j45WRmAekGwylwa9qhLNrPUGXiHhwFUs_W0-REGt6bd-TXfPXkcDF2QVbGNOW9M/s1600/plain_rssfeed_reader.jpg" height="125" width="400" /></a></div>
<span style="font-family: inherit;">See? Very boring. Believe it or not, there is quite a bit of code present in the page. Since the Conversion occurs with the original output in a table format, it actually created it as such in the html. Unfortunately no color. Lets see if we can spruce things up a bit. With a bit more research into ConvertTo-Html, I found that it has options for the various sections of an HTML file: HEAD, BODY, and TITLE. For this example we will stick with working in the HEAD section. In the HEAD section we could call various STYLE configurations that will apply to the whole page. A new variable will need to be created that will contain the content for the HEAD section:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">$style = "<style>BODY{background-color:black;}</style>"</span><br />
<span style="font-family: Courier New, Courier, monospace;"><br /></span>
<br />
<span style="font-family: Courier New, Courier, monospace;">Invoke-RestMethod -Uri $sg2013 | select title, pubdate, link |</span><br />
<span style="font-family: Courier New, Courier, monospace;">ConvertTo-Html -head $style | Out-File E:\Code\Powershell\rss_reader.html</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: inherit;">We are almost there, unfortunately this creates a page with a black background, not good since the font color is also black. The style variable can be further declared using a series of "$style = $style + ..." calls.</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<br />
<div style="font-family: 'Courier New', Courier, monospace;">
$style = "<style>"</div>
<div style="font-family: 'Courier New', Courier, monospace;">
$style = $style + "BODY{background-color:black;}"</div>
<div style="font-family: 'Courier New', Courier, monospace;">
$style = $style + "BODY{color:lime;}"</div>
<div style="font-family: 'Courier New', Courier, monospace;">
$style = $style + "</style>"</div>
<div style="font-family: 'Courier New', Courier, monospace; font-size: small;">
<br /></div>
<span style="font-family: inherit;">This essentially builds out the style tag for the page. You can add additional code to format the table colors as well. But lets keep it simple, here is how the new page looks:</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgF-xri0N0qB6OwNvPoRlzsE7tw1py_eiwrIyxNzpNP4qB1OyNDJ2ErFJ_lwaIZWQqw3oh2bdxUvIH5-24I6a5pCkOWBxzfSskowjTaFyBjj6gyDIBlcRguPgU6SGYKeXqlGlKnI4J43A/s1600/colorful_rssfeed_reader.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgF-xri0N0qB6OwNvPoRlzsE7tw1py_eiwrIyxNzpNP4qB1OyNDJ2ErFJ_lwaIZWQqw3oh2bdxUvIH5-24I6a5pCkOWBxzfSskowjTaFyBjj6gyDIBlcRguPgU6SGYKeXqlGlKnI4J43A/s1600/colorful_rssfeed_reader.jpg" height="103" width="400" /></a></div>
<span style="font-family: inherit;">That is much better, you can experiment with the colors if black and lime green are not your thing. We will add one more option to the ConvertTo-Html function using the -body option:</span><br />
<span style="font-family: inherit;"><br /></span>
<br />
<span style="font-family: Courier New, Courier, monospace;">Invoke-RestMethod -Uri $sg2013 | select title, pubdate, link |</span><br />
<span style="font-family: Courier New, Courier, monospace;">ConvertTo-Html -head $style -body "<H2>2013 Scripting Games Feed</H2>" | Out-File E:\DMZ\Code\Powershell\rss_reader.html</span><br />
<br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: inherit;">This adds a nice heading to the page. So this is great, I have a nicely formatted list of items from the Scripting Guy's blog, but how do I remember to go back and check??? Well you can call the following command in the script to open the file in a browser:</span><br />
<span style="font-family: inherit;"><br /></span>
<span style="font-family: Courier New, Courier, monospace;">Invoke-Expression E:\Code\Powershell\rss_reader.html</span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: inherit;">This will open the HTML file up in your default browser. So if you want to get really crazy, add this as a scheduled task to run every couple hours/days/weeks etc. A couple things I will be trying to add are some conditions so that I don't just keep getting a full list of items. I may only want to view the latest posts and I may want the list to convert the links to hyper-links. Well I hope you enjoyed, now go out and code! </span><br />
<br />Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-3486952369628493752013-03-22T22:22:00.004-04:002014-05-01T15:24:27.906-04:00You Just Won A MEGA DISCOUNT!!!! (no you didn't)<br />
You are an infosec geek when you receive a call that you know is a scam but you pick it up anyway to hear the recording. You then do some internet recon on the domain they tell you to go to and find that it was registered very recently. Next you pull up your sandbox system, load up BurpSuite and proceed to visit the very obvious phishing site to see what happens.<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp1cXyYUBLKfdulIEDOicNtRqTeAOiubA71flHbsEFghCT8EJyZI9EDsgqaqrXXBuBoBSZNV0LEzsClgHvqCFA-J1w9CKEvOthR5U64qBZchnig04OBekDJmKndTF1ypG8m4T_eOXUE5A/s1600/att555com.jpg" imageanchor="1" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp1cXyYUBLKfdulIEDOicNtRqTeAOiubA71flHbsEFghCT8EJyZI9EDsgqaqrXXBuBoBSZNV0LEzsClgHvqCFA-J1w9CKEvOthR5U64qBZchnig04OBekDJmKndTF1ypG8m4T_eOXUE5A/s1600/att555com.jpg" height="221" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fake AT&T Phishing Site</td></tr>
</tbody></table>
<br />
So random pre-recorded call from a bogus 800 number.<br />
"You just won the AT&T Mega Discount for $555 dollars off your next AT&T bill. You just need to visit att555.com to claim your discount."<br />
So you go to this site and say "Hey this looks legit, all the logos are there and such. Let me just log in and get my reward!"<br />
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkoido1RmoxqSJtqgwAfFM1I2mDlKoelEh-b2kYDRNauIH7g61zycIiA3Z9x0c5QCuTVjRx4-IrNrs4oO-YM3qVvohVSzz7xBCiytx-uebgDfIDptwhKWQnpHtCgzWWXttN0nYhITtw74/s1600/reall_att_account_page.jpg" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkoido1RmoxqSJtqgwAfFM1I2mDlKoelEh-b2kYDRNauIH7g61zycIiA3Z9x0c5QCuTVjRx4-IrNrs4oO-YM3qVvohVSzz7xBCiytx-uebgDfIDptwhKWQnpHtCgzWWXttN0nYhITtw74/s1600/reall_att_account_page.jpg" height="193" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Real AT&T Account Site</td></tr>
</tbody></table>
And now you just gave some guy in Germany your AT&T Account creds and your last 4 digits of your Social. Notice the attached images? The first is the phishing site, it has all the logos and looks very similar to the real AT&T Account site (next image). But, the bogus site has an extra field for "Last 4 of SSN." In most cases AT&T will never require this unless you forgot your password or they need to verify your account when you call them.<br />
<br />
With BurpSuite running in intercept mode, you can watch the activity as you throw in the fake information in the site. It took whatever I submitted with no validation (another sign it is a bogus site). When I hit "log in", a ton of stuff happens in the background. It sends the data you entered to an web address in Germany:<br />
<div style="text-align: center;">
hxxp:[85.25.17.164]kingpin/deduct2.php. </div>
This happens in clear text as well, with no SSL anywhere to be seen. This is just one more thing to add to the list of suspicious activity. If they phisher was more creative, they would have at least used a bogus SSL Cert to add more realism to the ruse.<br />
<br />
So moral of the story, think before you click! Be aware of your surroundings. If something is too good to be true... it probably is.Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com1tag:blogger.com,1999:blog-1855995597601273298.post-79012931303825562342013-01-01T11:36:00.000-05:002013-01-01T11:36:23.411-05:00Open Source Firewall project... Day 3, Time for Splunk!<div class="separator" style="clear: both; text-align: center;">
</div>
So I scrapped the full UTM solution seeing that Snort has some serious memory requirements. I did not want to add any other packages to this device. If you are curious as to what would have been done you can check out <a href="http://www.smallnetbuilder.com/security/security-howto/31433-build-your-own-utm-with-pfsense-part-1" target="_blank">SmallNetBuilder's UTM Guide</a>. If I can obtain some better hardware I may move to a beefier solution, but for now, I will be happy just seeing more detailed firewall and IDS/IPS data.<br />
<br />
So if you have worked with pfSense at all, you will notice that it has limited internal logging capacity. You can adjust but eventually logs will be overwritten. With the addition of Snort, you now have another important log to look at. There is an option for each of the managed interfaces in Snort to send data to the System logs, but remember, you will now overwrite those with more data. So best solution is to send all this information to a Syslog server. There are a couple solutions out there such as KiwiSyslog, but I sent the information to my Windows 2008 server running Splunk. There is a decent guide on <a href="http://www.seattleit.net/blog/realtime-pfsense-firewall-attack-logs-in-splunk-google-maps-with-geoip/" target="_blank">SeattleIT.Net</a>. That one includes using the Google Maps app in splunk to track the geo-IP location of external hosts. The guide does contain two important config files needed, which is why I referenced it. You will need those so Splunk knows how to parse the information it receives from pfSense. On the pfSense box you will need to enable logging to a Syslog server. This is done from Status-->System Logs-->Settings (see fig 3.1).<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio57Ge9ucd0Gmkf-H3ejAO51gnJvq_M1j48M7m3gCABfAjFTi7HGHzeg1vlOq-M-oAr9TCQiPHbtVhpjyX9-nOT8hn34fhufd51zwocHkaz61R24N59MTmpcKRCROoMYPjLcgvjocqCt8/s1600/pfsense_log_settings.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEio57Ge9ucd0Gmkf-H3ejAO51gnJvq_M1j48M7m3gCABfAjFTi7HGHzeg1vlOq-M-oAr9TCQiPHbtVhpjyX9-nOT8hn34fhufd51zwocHkaz61R24N59MTmpcKRCROoMYPjLcgvjocqCt8/s320/pfsense_log_settings.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig 3.1 - Log Settings pfSense</td></tr>
</tbody></table>
From here you can add the server and the logs you want to use. Unfortunately, pfSense only supports the UDP port 514 for Syslog data. This is the default configuration, there are some guides out there that instruct you how to change this setting but that is beyond the scope of this discussion. One more thing needs to be done here before we head over to Splunk. I want to make sure I capture the Snort logs as well. I haven't found an individual setting for Snort in pfSense to send logs to an external source, but there is an option to send them to the System Log for pfSense. This will work out seeing that I already set the System logs up to go to a Syslog server. Head over to Services-->Snort and edit each interface you the logs for. You will want to check off the option to "Send alerts to the main lSystem logs (see fig 3.2).<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvvCAvdHRwh0moh6vJWFN29YSv7xmlEqdae8r2QG6QSeZ3oQ6k1s0kuKuLgW7yZFUui_pJu9PuLEPS9cDITHFUByCsgEhJUU5TeZLVQNncN5opMmVpp6kJlQ6CR_znOb7G9pNWFOcJiRE/s1600/pfsense_snort_logging.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvvCAvdHRwh0moh6vJWFN29YSv7xmlEqdae8r2QG6QSeZ3oQ6k1s0kuKuLgW7yZFUui_pJu9PuLEPS9cDITHFUByCsgEhJUU5TeZLVQNncN5opMmVpp6kJlQ6CR_znOb7G9pNWFOcJiRE/s320/pfsense_snort_logging.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig 3.2 Sending snort alerts to System Logs</td></tr>
</tbody></table>
Now that we have logs to collect, it is time to turn on the feed in Splunk. This was tricky at first then I realized I made a dumb mistake and it worked perfectly. If you are using a Windows server with the firewall enabled, you may have to allow the UDP 514 traffic from the pfSense box. The easiest way to add the information to Splunk is to go under the Search section and "Add more data" (See fig 3.3).<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-dRbmfs5Xv8L2rYK30he7vnM7wugMSr-zA3LGTshqsqhUC-FQrj2ABTxyO4_B8A1dhp6yEkZvZ29BXJIdNtWe7E4jaguy-2A6EiNivlpeycPGg3vLXxedhf2YIKz4rgfwH8exXhH1bQ/s1600/splunk_add_data.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="110" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhG-dRbmfs5Xv8L2rYK30he7vnM7wugMSr-zA3LGTshqsqhUC-FQrj2ABTxyO4_B8A1dhp6yEkZvZ29BXJIdNtWe7E4jaguy-2A6EiNivlpeycPGg3vLXxedhf2YIKz4rgfwH8exXhH1bQ/s320/splunk_add_data.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig 3.3 Add Data to Splunk Search</td></tr>
</tbody></table>
From the next section you will be able to choose the type of data you want to add. For this we will choose "Syslog" (See fig 3.4).<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK9XclZvZLA2LNHk6MESVEqFx691MvenH7ivb1AZUXS8ZLWw2ZIzRH7yhBmpSQymvncvUPO2IDvJKvXJ1i5X3nF4t_gY_6HSnPoIXzIhE6Eej4wuFRjfAllhAWC4HyO64IQmHxRX0Vycg/s1600/splunk_add_syslog.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiK9XclZvZLA2LNHk6MESVEqFx691MvenH7ivb1AZUXS8ZLWw2ZIzRH7yhBmpSQymvncvUPO2IDvJKvXJ1i5X3nF4t_gY_6HSnPoIXzIhE6Eej4wuFRjfAllhAWC4HyO64IQmHxRX0Vycg/s320/splunk_add_syslog.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig 3.4</td></tr>
</tbody></table>
Choose the type of Syslog you want, for this I used "Consume syslog over UDP" (See Fig 3.5).<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM6-mb7TmURvLAbdXas63gV8APnhQfy8xEjqw1it34G3Ivuwt2rhG5rFCR12QCy-o5R2hm5UFurNbH8U5onsxF_BTSZnsLqH5rOewQ2CnL_YoDWgU44vpDluBvEsoqxg5vnf652S8nqeI/s1600/splunk_syslog_UDP.JPG" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="209" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM6-mb7TmURvLAbdXas63gV8APnhQfy8xEjqw1it34G3Ivuwt2rhG5rFCR12QCy-o5R2hm5UFurNbH8U5onsxF_BTSZnsLqH5rOewQ2CnL_YoDWgU44vpDluBvEsoqxg5vnf652S8nqeI/s320/splunk_syslog_UDP.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig 3.5</td></tr>
</tbody></table>
<div>
This brings you to the configuration screen. Set the port to 514 since that is the default used by pfSense. Then configure the remaining settings and check off "More Settings" for additional options (See Fig 3.6-7). </div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2ZITDhGQiT9BOk2BSoG8gIClUCKBPI5-mlV-tYcR8XMXWcJ4mW1CAddhAfEwomJhsdCI4QRux-rdnNMGBelRa9qOKcB6_e8ZDJU2FHFSuHS0obTGdO3TrHDNBING3gNPC17mj3s02FtM/s1600/splunk_syslog_UDP_config1.JPG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2ZITDhGQiT9BOk2BSoG8gIClUCKBPI5-mlV-tYcR8XMXWcJ4mW1CAddhAfEwomJhsdCI4QRux-rdnNMGBelRa9qOKcB6_e8ZDJU2FHFSuHS0obTGdO3TrHDNBING3gNPC17mj3s02FtM/s320/splunk_syslog_UDP_config1.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig 3.6</td></tr>
</tbody></table>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right; margin-left: 1em; text-align: right;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5V4RBEtSq0rUJ4NBbynakY10ht9xDSb3VpTD2Y2519UVtnKbIqvWp72ii01RLe8Oa14OBuXEZM52nRn-SKFT1OskmeuFcD0jtn6SrllrF9VPHz_gL1gmcRUwawj_-fdEPSTglcJmuZU8/s1600/splunk_syslog_UDP_config2.JPG" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img border="0" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5V4RBEtSq0rUJ4NBbynakY10ht9xDSb3VpTD2Y2519UVtnKbIqvWp72ii01RLe8Oa14OBuXEZM52nRn-SKFT1OskmeuFcD0jtn6SrllrF9VPHz_gL1gmcRUwawj_-fdEPSTglcJmuZU8/s320/splunk_syslog_UDP_config2.JPG" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Fig 3.7</td></tr>
</tbody></table>
<div>
<div>
Use the manual option for Source Type so you can set the correct name that coincides with the props.conf and transforms.conf files created in the SeattleIT.net blog.</div>
<div>
<br /></div>
<div>
Also notice in Fig 3.7 the "Restrict to Host" option. This will help lock down the what host Splunk will listen for, any other syslog servers will be ignored.<br /><br />
<br />
Once the Splunk server has been rebooted, you should start seeing information flow in from pfSense. At this point you can start searching for specific events from Snort or the Firewall logs. Right now the logs from Snort are mixed up with the System log activity of pfSense. If you choose the SourceType="pfsense-firewall" you will see only the firewall logs. For now I created an event type based off a simple search string 'source="udp:514" snort'. I will most likely move to pulling out the Snort logs as a separate feed but for now this will work just fine.<br />
<br />
At this point I have called it a day and the initial project is done. I will most likely tweak the configuration and try pull out some more useful information that will assist in setting up some decent block rules in Snort. But that is enough work on my vacation and the Xbox is calling! If you have any questions, feel free to leave a comment or hit me up in Twitter. I hope you all kick the new year off right!</div>
</div>
Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-12938913704791163302013-01-01T10:34:00.001-05:002013-01-01T10:34:24.324-05:00Open Source Firewall project... Day 2ishOK so this is a couple days combined. We left off with getting access to the WebGUI and making sure everything was good to go for connectivity. I put a hold on configuring additional firewall rules for OpenVPN but will look to getting that up in the next day. I spent some time checking out the new data I was logging for external access attempts. Eventually this information will be sent to a log management solution for better data gathering, more on that later.<br />
<br />
Over the last couple days I worked on getting Snort installed and configured as well as setting up the Dynamic DNS service I use. DynDNS (<a href="http://dyn.com/">dyn.com</a>) is a nifty service that allows you to have a dynamic public facing IP address (typical for residential ISP customers) but you can assign a static DNS record to that interface. The service utilizes an agent based, manual, and/or account based method to update the host information. Most broadband routers and SOHO style firewall services have the ability to communicate with Dynamic DNS services. The typical free solutions give you some pre-defined domains to use, but if you want to get fancy, you can just create a CNAME with your current DNS host and point it to the DynDNS domain for example: remote.mydomain.com --> remote.dyndnsdomain.com.<br />
<br />
Now that all that is settled, we can proceed to getting the IDS/IPS up and running. For that we add the snort package. If you are following the guide from <a href="http://www.smallnetbuilder.com/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense" target="_blank">SmallNetBuilder</a>, then you see it is pretty simple. Always remember when configuring your IDS/IPS, only turn up the rules/Categories related to your network. For example, if you do not have Oracle Servers, then don't turn on the Oracle rules. This cuts down on the amount of alerts you will receive from the IPS. If this is your first IPS solution on your network, you may also just want to enable the IDS portion first just to see what is going on. If you see immediate activity that you know should not be occurring, then enable the IPS portion for that specific activity. Upper management tends to frown on bringing the business to a screeching halt because your custom application looked like bad network activity to Snort. For a home network straight Snort is good enough, but for business you may want to consider the SourceFire appliance. It is much easier to call support to fix something ASAP rather than scouring Google. <br />
<br />
I initially turned up the block rules for the WAN and left them off for LAN. I had some issues though with the blocking on the WAN since it was blocking the pfsense package management traffic. I am currently just in IDS mode on both interfaces since my main goal here was to see what is happening on the home network. Later I may build up some suppression/whitelist rules,<br />
<br />
The final part of the guide instructs you to install IP-Blocklist. The application is basically a managed blackhole solution for the firewall side of pfsense. You configure it to look at some blacklists and it will drop packets for IP addresses on those lists. This is great if you want to block traffic from specific countries. The IP-Blocklist is no longer fully supported by pfsense, they offer pfblocker which works much the same way and is added to your Firewall controls. I did not do much to configure this yet. Again I want to see where traffic is coming from then I will look at initiating some blocks.<br />
<br />
Once Snort was running I did notice some errors popping up repeatedly on the console. Many where due to ACPI errors. I found some discussions pointing to a variety of items for FreeBSD and hardware issues. The one that the issue may be related to was with the onboard Realtek NIC. Disabling the NIC in the BIOS and rebooting seemed to stop the errors. Of course that angered pfSense and forced me through the config prompts. After fixing all that, re-enabled the onboard NIC and received the ACPI errors again. Rebooted using Safemode and a number of errors were auto-corrected. Unlike a Windows Safemode reboot, no services were disabled. <br />
<br />
This is where I pretty much called it a day. Next up is adding this new found information to Splunk.Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-3032229747444778052012-12-26T23:19:00.000-05:002013-01-01T10:13:50.263-05:00Open Source Firewall Solution... Day 1So I've been wanting to do this project for along time but never can seem to find time to get it done. Nor can I seem to get the hardware available when it is needed. When people are entering the Information Security field, one of the toughest things to do is get experience working with some of the software and hardware systems out there. So if you can't get the experience at work, build something at home! <br />
<div>
<br /></div>
<h3>
The Final Goal</h3>
<div>
I am finally working on putting together a UTM (Unified Threat Management) network in my home. What that means in a simple form is the ability to catch malicious activity as it is happening on my home network and put a stop to it. It isn't just one product that does this though. It typically is a layered security approach relying on input from a number of things. For example; firewall logs, IDS/IPS (Intrusion Detection/Protection System), Client Anti-Virus alerts, and whatever other logs you may have at your disposal. The core component around this is a log management system and/or a SIEM (Security Information and Event Management) solution. In small networks such things may not be needed, but if you enter an enterprise network with thousands of servers, workstations, and network hardware, managing events can be very cumbersome. If not properly staffed, things may fall through the crack. It doesn't even need to be malicious, it could be something as simple as a hard drive failure. A simple log management solution will collect the logs from the many devices, but you still need to parse out the data and try to connect some dots. The SIEM is the key, this will help with that and in some cases it can correlate the data with other logs that are being collected and can alert on suspicious activity. So I never really got to put something like this together, since I am currently in a "hands off" position. I get to plan it out on paper, make some recommendations bases on research, but someone else will be tasked to build it. Frankly I like getting my hands dirty and I like having proof that I know what I am recommending. So I look at building this stuff in my home lab. On to the build....</div>
<div>
<br /></div>
<h3>
What is needed to get started...</h3>
<div>
Using the following site for guidance: <a href="http://www.smallnetbuilder.com/security/security-howto/31406-build-your-own-ids-firewall-with-pfsense" target="_blank">Build your own IDS Firewall with pfsense</a>. We will be using the open source firewall solution called <a href="http://pfsense.org/" target="_blank">pfSense</a>. My build is actually just the firewall with no guest wireless. Hardware wise, I will be using a small Micro-ATX system I call my Shoebox. It is running an atom processor intel board, 2GB of RAM, 250GB 2.5" SATA drive, and a CD-ROM. It is about the size of a shoe box. The Atom board runs pretty quiet as well, so if you don't have a dedicated network closet, no big deal. The system also has two network cards. It has the on-board NIC and a PCI based Intel Pro 1000. If you want to follow the linked guide, you will need to have a dual port PCI NIC.</div>
<div>
<br /></div>
<h3>
Day 1</h3>
<div>
Nothing to fancy here since I got started a little late. You will need to have a keyboard and monitor for this part. Afterwards is either the WebGUI or SSH. I downloaded the <a href="http://www.pfsense.org/index.php?option=com_content&task=view&id=43&Itemid=44" target="_blank">USB boot image</a> of pfSense and used <a href="http://m0n0.ch/wall/physdiskwrite.php" target="_blank">physdiskwrite</a> to image a 4GB flash drive from my Windows desktop. For anything greater than 2GB, you will need to use the "-u" switch with the command and you will need to run the command prompt as Admin in order to see the drives. pfSense is now bootable from the flash drive. At that point I fired up Shoebox with the USB connected and followed the Default startup mode. You can pretty much let it boot with the defaults. It will take you through the interface configurations. From here I strayed from the guide since I was not yet ready to connect to the "WAN" (my cable modem). So I just popped the ethernet cable between each interface as I was prompted. I did find that the auto-config was not exactly picking up the interface, so I had to manually enter the name. You will see this during the first request to auto-configure ("a"). In my case the intel PCI NIC was "em0" and the RealTek on-board NIC was "re0". Once the network configuration was complete, you will see the pfSense menu. Before I proceeded, I reset the LAN interface since it uses 192.168.1.1 by default. I switched it to reflect my current network but using option #2 from the menu - Set Interface(s) IP Address. I then chose to install to hard drive. Basically this part takes the information saved to RAM and builds the image to the local hard drive. Use the Quick/Easy Install method. My first attempt lead to some annoying boot errors with ACPI.</div>
<div>
<br /></div>
<div>
Installation completed and you are then given the default username/password and the WebGUI address https://<LAN_IP_Address/. It will use a self-signed cert so you will see a warning when you first connect. You can always add the cert to your trusted list or you can be a real go-getter and get your own trusted cert from a third party. But that costs extra and I am a little lazy. After finishing up changing the default admin password and adding a normal user for SSH access later on, I pretty much called it a night. Tomorrow I will move the device to the WAN and test connectivity. Then I will create some firewall rules and get SSH working (for internal use). Stay tuned....</div>
<div>
<br /></div>
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com0tag:blogger.com,1999:blog-1855995597601273298.post-80780448586367886812012-10-07T13:05:00.003-04:002012-10-07T13:09:09.320-04:00DerbyCon 2.0 review and other ramblingsYes this is another <a href="http://derbycon.com/" target="_blank">DerbyCon</a> review. I'll try not to write the same stuff as the other 1500 blog reviews already out there. I will say that it was awesome, and I think those of us that attended will agree on that fact. First and foremost, if you are interested in pursuing a career in Information Security, you must attend a conference such as this. The setup makes it very accessible for attendees to engage in great discussions around hacking, InfoSec and just about anything else. Don't worry, you don't need to be a traditional hacker to get something out of this Con. I met a programmer who currently does nothing with InfoSec. He wants to learn more about the threats as well as why secure coding is important. Even though you don't need to hack to enjoy yourself, you may find yourself attempting to pop a lock in the <a href="http://www.bloomingtonfools.org/index.php" target="_blank">LockPick Village</a>, or maybe picking up a soldering gun in the <a href="http://www.lvl1.org/" target="_blank">hardware village</a>. After you leave this Con, you may even look at picking up a <a href="http://www.raspberrypi.org/" target="_blank">Raspberry Pi</a> to play around with. This is a true community event where one is surrounded by people willing to share their knowledge. <br />
<div>
<br /></div>
<div>
The speakers made themselves pretty accessible, you did not need to wait in long lines to get seat for a talk, and you didn't need to leave a talk early to get to another talk. Speaking of talks... well they had such a large volume of CFP entries, that they had 4 main tracks, they were separated into: Break Me, Fix Me, Teach Me, and The 3-way (a mix of the other 3) and opened a 5th track called "Stable Talks." There were so many great topics, it was very difficult to determine which ones to attend. Luckily they captured the 4 main tracks on video and most of them are posted to YouTube. You can get to the full list at IronGeek's (Adrian Crenshaw) page: <a href="http://www.irongeek.com/i.php?page=videos/derbycon2/mainlist" target="_blank">DerbyCon Videos</a>. Although the Stable Talks were shorter, that didn't affect the quality. I think some of these talks will move into the main tracks next year.</div>
<div>
<br /></div>
<div>
So I arrived Thursday afternoon. Unfortunately, I was not there early for the training, which was going on Thursday and Friday morning. They had a number of quality training opportunities which covered everything from Social Engineering to Reverse Engineering. Thursday evening I was able to grab some dinner with a fellow EH netter (<a href="http://ethicalhacker.net/">ethicalhacker.net</a> member). We discussed some of the finer points of working in a large organization and trying to push proper security procedures. We were later joined by two more members and continued the discussion over Ethiopian food (which was mighty tasty). Later that evening I was able to experience my first SlideShare Roulette at "Whose Slide Is It?". For those that don't know, this is basically a test of one's presentation skills. The moderator will pick a random slide deck from the slideshare.net site based on topic suggestions from the audience. The presenter then must use his/her skills and work with the given slides. It got interesting when the hotel staff arrived with 100 shots of bourbon courtesy of HD Moore (CSO/Chief Architect @ Rapid7). <br />
<br />
Friday morning was pretty much just hanging out and waiting for the <a href="http://www.youtube.com/watch?v=PcxpeWs0Jds&feature=share&list=PLNhlcxQZJSm97hLg2WXjW1qTytN-pbDtv" target="_blank">opening ceremonies</a>. There were some great discussions going on in the hallways and main lobby of the Hyatt. Some of the best talks can be found in these "hallway cons" so I highly recommend getting involved in these sorts of discussions. You will learn something and you may even have a different point of view to add that could benefit the group. Eventually 1:00 pm rolled around and the talks began! They kicked it off with keynotes from HD Moore's The Wild West, Dan Kaminsky's Black Ops, and Mudge's talk about the <a href="http://cft.usma.edu/" target="_blank">Cyber Fast Track</a> program from DARPA. After dinner the 5 tracks began and continued through the weekend. I will not do a review of the talks I attended since I was pretty much in absorption mode and I am still catching up on the ones I missed as well as re-watching those I attended.<br />
<br />
As I touched upon earlier, there were a number of events going on during and after the talks. The big one was the CTF (Capture The Flag) competition. Your mission is to use your skills in hacking to find all the flags on the CTF network. I attempted but never got on long enough to even find the "beginner" flags. This was in part due to the WiFi network for the event being unavailable and the bouncing in and out of talks. These competitions are best handled by teams since the expertise needed to find the flags will vary. You may have to write an exploit or use some forensic skills to find the various flags. <a href="http://www.hackersforcharity.org/" target="_blank">Hackers For Charity</a> (HFC) held both a silent and regular auction throughout the weekend. They raised over $33,000 thanks to the very generous community. If you wanted to just wind down you can head over to the theater for the Hacker Movie Marathon. Maybe you want to know if you should get your CISSP, but you aren't sure if you have the right knowledge, then you could have headed over to "Are You Smarter Than a CISSP?" held on Friday night. You were given questions from each of the 10 CISSP domains, you can choose to answer them yourself or discuss it with the panel of actual CISSPs. They were also available to save you if you got a question wrong. <br />
<br />
Sadly Sunday morning came and it was time for me to leave the land of bourbon and horses. Unfortunately there were still a slew of talks and the closing ceremonies to attend but I will catch them on video. Next year I will plan on taking the training and staying until the closing ceremonies! One more thing specific to the conference, a big THANKS! to the organizers and volunteers. They made this such a great experience that I am still missing it a week later.<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com1tag:blogger.com,1999:blog-1855995597601273298.post-53147354447984254482012-08-22T19:24:00.001-04:002012-10-15T09:28:12.240-04:00Basic Security and You... and your friends, and your clients...It seems as if now-a-days when someone mentions Information Security, the first things that might come to mind are the dreaded words: APT, China, and Cyber War. But there is much more to it I think. The government is definitely on the cyber war kick. With nation states actively sponsoring attackers, and defense contractors locking up their IP tighter than the great firewall of China, who could blame them? I mean viruses and other malware just jump through the air now and land on systems that are supposed to be off the grid! Its madness!!! The apocalypse is not coming on December 21st, it is already here! So while all the big boys fight it out with their budgets and search for the newest best shiny toy or magic unicorn slaying bullets, what are the little guys doing? Who is protecting them?<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhklzpP4p8tqvVscBvCw2SeBs8xV9rZiw6AwzlhWCaOPZ6aKfY_b1bZSczvcQHNSl6DOkH5gXGkLJMlAoYaqToADc6o1PmIy7ZK8B_O84q3dPlDXfeP4syGe0CY7MlxHl-8JnxOuCh3Ik/s1600/Shodan_Main.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhklzpP4p8tqvVscBvCw2SeBs8xV9rZiw6AwzlhWCaOPZ6aKfY_b1bZSczvcQHNSl6DOkH5gXGkLJMlAoYaqToADc6o1PmIy7ZK8B_O84q3dPlDXfeP4syGe0CY7MlxHl-8JnxOuCh3Ik/s320/Shodan_Main.jpg" width="320" /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghyV8jJ-QJSrSe61H3LuO243wIXwyUU8KpwQ3WBeAG0zNREGOV2HKVDVjlzxqYl_czk8EPzfJH7UjXv2vDchyG85jJPAwhpVxpgkvuG8QmUyd3yUiOWYkboLhOZeyPSaLcTiJyBNk2nBg/s1600/SHODAN_Query_Sample.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghyV8jJ-QJSrSe61H3LuO243wIXwyUU8KpwQ3WBeAG0zNREGOV2HKVDVjlzxqYl_czk8EPzfJH7UjXv2vDchyG85jJPAwhpVxpgkvuG8QmUyd3yUiOWYkboLhOZeyPSaLcTiJyBNk2nBg/s320/SHODAN_Query_Sample.jpg" width="320" /></a>Over the weekend I was messing around with Shodan (<a href="http://www.shodanhq.com/" target="_blank">http://www.shodanhq.com</a>). For those that don't know, this is basically a search engine to find online devices such as routers, webcams, VoIP phones, Power plants, and Wind Turbines... wait what? Yep, you know those important systems that feed our electrical grid and people are always concerned with being attacked? But that is a discussion for another time. So back to this awesome tool and its many uses... Now one might ask, "How can something like this be allowed to exist???" Well that is easy, the data it searches is publicly available on the Internet. It searches based on any number of criteria such as open ports, website headers as well as response banners. You can also drill down to specific locations. For example you can search for open FTP ports in your home town. Now I am not from Tampa, but I didn't want to out my own town. So as I was popping in different ports to search on, I stumbled across a list of open RDP (remote desktop protocol) ports. Of course my curiosity gets the better of me and I find one device is a Windows XP system that could possibly be linked to say a financial department at a local University. I was like oh fudge (only I didn't say fudge)! <br />
<br />
OK, so why is this so bad? I mean after all the staff must need to work from home and the school doesn't want to give them laptops for the fear of them being lost with important data on them. But I am sure they encrypt all their laptop hard drives right? Sadly I doubt it. But who cares about laptops when you can just walk up to the front door and ring the door bell! Someone might say "so what, even if they attempt to log in using a brute-force password attack, the accounts will lock." But there is more than one way to skin a cat. Enter <a href="http://technet.microsoft.com/en-us/security/bulletin/MS12-053" target="_blank">Microsoft Security Bulletin MS12-053</a>. This is a vulnerability in Remote Desktop which could allow remote code execution. Essentially, using the RDP service, I can send instructions to the target without actually having to log onto the system. Well I can't, but I am sure someone much more talented than I, can. So this is a big deal, can an organization confirm that they are 100% compliant with patching to prevent these attacks? Knowing how much work it takes to keep a much smaller shop compliant, I would say, no way! But who knows, maybe they are. It still begs to question, if they are so sure of their compliance, why are they not using much more secure methods of granting remote access to their network? So this brings my long winded rant to a close and I will leave you all with the following thought...<br />
<br />
I had no luck with my other University contacts, so I am now tasked with the next steps: Do I track someone down at the school and say "um... you dropped something here" and show the them site and query? Or do I say screw them and their crappy security and move on? The enterprising youngster in me say, "hmmm could be a nice lead." But the paranoid adult in me says "Hell no they will probably think you are hacking their network!"<br />
<br />
So what do you think? Leave your comments below!<br />
<br />
UPDATE 10/15/2012<br />
Sent the "Data Security Admin" an anonymous email stating the problem and heard nothing. Oh well I tried. On to the next task. Anonymoushttp://www.blogger.com/profile/10392134960825028314noreply@blogger.com2