Category Archives: Tech posts

Shodan for the IT Pro

So there you are dropping by your customers and making sure their servers are patched and systems are running normally.  For security you make sure AV is running and the firewalls are configured, but what are you missing?  Do the customers have access to make changes to the firewalls?  Do they have marketing teams or engineering groups who stand up systems outside the company?  How can you determine what is out there for your clients??

Shodan IP Camera Search

Well that is where something like Shodan comes into play.  It is the Internet of Things search engine.  You can search for everything from IP web cameras to industrial control systems.  But what does that all mean to the IT Consultant just trying to keep their clients online and running?  Well lets talk about those engineers or marketing people.  Shodan allows you to search for everything from IP addresses/networks, protocols/ports, and keywords.  The free version will let you search for the basic web protocols – 80, 443, 23, 21, etc… Using the a paid subscription you will gain access to searches for any ports as well as the ability to run reports.  This has been a well known tool to those of us in the Information Security industry, whether we are performing recon activities for a penetration test or building intelligence for organizational threat assessment.  Or just simply identifying possible shadow IT systems deployed without our knowledge.

Shodan Organization Search

So what value is this to the IT pro?  Well you can perform checks of your clients IP space or perform an organization search – org:”Your Company Name”.  This will typically display the information from the TLS certificate.  From there you can review the IP and host names and run additional checks on the network ranges.  This is just he tip of the ice berg with what is available from Shodan.  They have APIs available that can be used with scripting languages such as Python and even Powershell.  Scripts can be written to schedule regular checks on specific terms or searches of known address spaces.  This becomes a great resource for those smaller organizations that do not have the large budgets to perform full threat assessments or implement threat intelligence practices.  And at the very least it makes for a fun Saturday morning activity while you have your coffee.

InfoSec Talent Shortage

So this has been an ongoing discussion in the industry for a while now.  As companies continue to grow and expand their digital footprint, they expose themselves to a greater number of threats.  In turn they need people to manage the monitoring and mitigation of those threats as well as the remediation when things go south.  So the solution that all the research firms recommend is to hire an MSSP, because they can do all the things!

How do the MSSPs fill their positions?

That is a question that should be asked when considering that path.  Some suggest the MSSPs pull from cheaper labor pools.  If that is the case, then what are you actually getting when signing up with these providers?  If you are getting cheap labor then you are either getting under-skilled analysts and engineers, or barely entry level prospects with the ability to read a script and follow a basic procedure.  The information security industry is not an entry level service.  The “junior” analyst needs to have a general understanding of what the based technologies are and how they work.  If they are looking through logs and see an IP address, they should know how to look that up and find information about it.  Or if a website isn’t loading correctly, where to look to see if it is a network issue, web filtering, or simply just a bad site.  On the flip side, a junior analyst would need to know how best to pull in a lot of data and turn it into a presentable format to show to the customer.  That being said, are their “senior” analysts just the juniors with more training?  How many of the MSSP’s staff are actually veteran IT/InfoSec professionals?  How many have had to build and support their own infrastructure?  Or are they just good readers and simply email you a canned alert from your SIEM and say “it might be something…”  Or are they truly skilled people and the MSSP is offering some pretty good incentives to come work for them?

What are we not offering to entice the skilled labor our way?

  • Are we not offering competitive salary and benefits?
  • Do we not provide enough training opportunities?
  • What are prospects looking for?

Salary and benefits are great to peak some interest, but frankly if it is truly competitive, at some point there is a ceiling and it won’t mean much to a seasoned security architect or engineer.  They might be looking for a fun challenge or perhaps a good balance between work and life.  This industry provides its share of challenges both fun and frustrating.  That last bit can lead to some pretty heavy burnout which then leads to people exiting those positions or worse, staying too long they become a toxic member of the team.  Burnout and stress can lead to poor health, so all the money in the world is no good if you are spending all your time in doctors’ offices trying to figure out why you aren’t sleeping or have a sudden heart condition.

Training!  Offer it and don’t be cheap about it.  It’s the old argument “what if we train them and they leave… but what if we don’t and they stay”.  Those of us in the industry are not new to self-education but you as an employer cannot expect that we want to use our free time to learn something that is related to a specific technology we use in that particular job.  For example, if we are interested in IoT security research and we spend our free time in our home labs tearing down the latest IP camera to see how it works, we don’t want to share that time with going through the vendor training for our latest spam filtering service.  That should be done with reserved time in the office.  Now if you offered the latest in SANS training, then you might peak our interest.  This is vendor agnostic training that promotes principals and techniques over various subject matters in InfoSec.  Sure the classes are expensive, but they are worth every penny.  Many can be done remotely or in self-paced virtual classes.  That means no travel expenses!

So money isn’t everything, do you offer decent enough vacation time and will your prospects be able to take it?  Time off is no good if the prospect is the only member of an incident response team and is on call 24/7.  Be realistic in your expectations of the position and be able to support time off for your staff.  But even vacation time may not be a big seller, specially if it includes sick time as part of the bank (generic PTO vs separated vacation and sick time).  Maybe your prospect is looking for an employer who is active in the community and in turn encourage speaking opportunities both inside and outside of the company.  One other possible opportunity is what career paths are available to your prospects?  Will there be manager opportunities or senior lead/sme positions available?  Not everyone wants to be a CIO and there are usually plenty of managers.

So how do we fix this?

There will be no simple solutions to this, in many cases, you have to realize there is not a lot of difference between your org and the one next door.  You both have similar problems to solve and need similar positions filled.  At the end of the day it makes little difference to your prospect if you sell X widget and they sell Y.  In the end we like puzzles that have possible solutions, not a mess of knotted Christmas lights that keep coming.

InfoSec Career “Quick-start” guide

  1. Install Kali
  2. Pwn all the things
  3. Collect big paycheck!

So what I really want to accomplish with this post is to provide a series of sources to help you get going in your infosec career.  I had a much longer post going on about building a good base of other technical skills and such but lets just get to the meat of it.

Online Training

Free Resources:

  • Codecademy – Offers a number of free courses with added features if you upgrade to a pro subscription.  Great place to learn Python and Ruby.
  • Udacity – Much wider selection of programming courses, possibly better place to start for you App Sec types.
  • Microsoft Virtual Academy – Yes, even MS has a ton of free training resources.  Powershell to .NET C#!

Paid Sources

  • PluralSight – 30 bucks a month and a free trial.  They cover a wide variety of topics from CISSP to OWASP Top 10 for .NET with Troy Hunt.
  • ITProTV – Covers a wide variety of content spanning IT, probably a good place to start if you need to build up those base skills.  A bit pricier than PluralSight but has a stronger focus on IT in general.  Also you can probably find a discount code if you listen to Paul’s Security Weekly.

Podcasts

  • Security Weekly – They have expanded beyond the initial Security Weekly podcast to cover Enterprise, Startups, and Securing your digital life.  Listen to them all or pick and choose!  The team is great and you can’t go wrong, they will get you asking “What is the problem we are trying to solve??”
  • Risky Business – Covers the weekly security news from an Aussie perspective and includes special segments and interviews.
  • Southern Fried Security – Weekly-ish topical security discussions from the south.
  • SANS Internet Storm Center (ISC) – a quick 5-7 minute daily micro-cast covering security highlights.

Social Media

Twitter – Pretty much start with the people who host the above podcasts and the ones followed by our twitter account.  It is a great place to start interacting with the active security community.

Conferences / Meetups

  • Security BSides –  Spawned out of rejected CFPs from Blackhat 2009, Security BSides has evolved into a global series of events put on by local security communities.  This is a great place to get your feet wet and the cost is free to minimal.
  • DerbyCon –  5 day con down in Louisville, KY.  One of my personal favorites if you can fly and afford the hotel.  If you are in a reasonable distance you can also drive.  They have 2 days of training sessions before the actual conference.  It is a more intimate conference compared to the likes of DEF CON.  They also include nightly activities and a CTF that has something for all skill levels.  When you are there make sure to stop by the hardware hacking and lockpick villages!
  • CircleCity Con – I can’t speak on this one but the organizers are a great bunch.  If you can get to Indianapolis in June, check this one out!
  • Thotcon – another small con, it already happened this year but put it on your calendar for next year if you are going to be in the Chicago area.
  • DEFCON – Can’t mention the others without mentioning this one.  Without Blackhat and DEFCON we would not have the community that we have now.  I have yet to attend either of these but it is on the bucket list.
  • Meetups – Google search for local groups in your area.  Check around at Maker and Hacker spaces.

Other Resources

So that is it for now, hopefully you found this useful.  If you have other resources you come across feel free to message me on twitter and I will post an updated list.  Good luck and remember, if you are looking for your first official security gig, don’t be afraid to apply even if you think you are not qualified.  The smart employers may look past the lack of skills if you can demonstrate the right mindset for this work.

 

BSidesCT Azure Security Talk

As I sit here on the nice shady patio enjoying my morning coffee, I figured I should probably post up my slide deck from my first official talk.  First of all BSidesCT was great!  The organizers made some classy laser cut badges this year and the CTF was a good time (actually got 4th in it!).  Will I submit another?  Who knows?  I think I will build on it a bit and learn more about ASP.NET in the process.  Ok, on to the side deck as my yard work is calling (thought I took Friday off for fun?)

Of Course My Cloud App is Secure, It’s in Azure

Some notes to add to the deck when it comes to the logging Azure Websites:

  • Azure has added the ability to bring log files down via FTP/FTPS.
  • They have added other log tools such as Log Stream which lets you watch your application and web log activity.
  • Azure PowerShell can do it using get-azurewebsitelog –name <appname> -Tail
  • Azure Powershell can do it with save-azurewebsitelogSaves to zip in directory you run the command from.

Other items to note when moving to any cloud solution:

  • Many security features are not enabled by default, though Microsoft does notify you of certain ones to turn on through Security Center
  • You can encrypt your Azure SQL Databases!
  • You can enable 2FA for your Azure/Live Account as well as implementing it within Azure for Azure AD or Web Apps.
  • Review your SLAs!!!
  • And of course way the risks of any cloud service.  Not all data is created equal and some of it is better off staying on-premise.

OK the temp is rising and it isn’t even noon yet, the yard awaits!

Anatomy of a Javascript Downloader

So one of your users got an email from a supposed vendor with an attached invoice.  The invoice wasn’t a PDF, word doc, or even an excel sheet.  It was a zip file, and the user opened it as well as opening the “.js” attachment.  Now they called you explaining that they can no longer open any files on their computer or their network share.  The files have all been renamed and the user  has no idea what the heck happened.  You already have a good idea that they downloaded some type of crypto ransomware.  But how did it get through??  You thought you had adequate protection with antivirus as well as web/email filtering.  After chatting with the user, you were able to obtain the original email that she opened unfortunately there wasn’t much you could get from it.  The email address it came from was most likely compromised, so you added it to your anti-spam black list.  You noticed a bunch of files in the zip but when you tried to look at them in notepad it was just a big blob of code that didn’t make sense.

Fig. 1 raw javascript file

Fig. 1 raw javascript file

There are only a few areas that might look like readable code, but most of the file is what we call “obfuscated”.  The malware author encoded most of the code which helps prevent typical anti-virus software from picking up on the malicious parts.  Also this is javascript which could also be used for legitimate purposes.  At this point you could submit the samples to your AV vendor so they could update their definitions and protect the rest of your users from infection.  You can also upload them to Virustotal.com. But what does this file really do?  It is obfuscated so most online analysis tools may not be able to pick up on the actual instructions.  These javascript files are usually just the delivery method for the cryptoware and that is where Remnux comes in to help.

REMnux-logoRemnux is a Linux toolkit for reverse engineering and analyzing malware. It has a number of different analysis tools to assist in malware analysis.  One of my favorites for handling these types of files is JSDetox.  This is a docker based app that will analyze the messy javascript code seen in Fig. 1.  In order to start it up, just type JSDetox in a terminal window.  It will then instruct you on how to start the Docker image (See Fig. 2.).  Once it starts up you will then be able to connect to http://localhost:3000.

Fig. 2 JSDetox Startup

Fig. 2 JSDetox Startup

Fig. 3 JSDetox Dashboard

Fig. 3 JSDetox Dashboard

Open the browser in Remnux and connect to http://localhost:3000.  You will then need to upload the obfuscated javascript file in order to complete analysis.  Simply click the “Upload” button and choose the bad JS file.  If you click the “Reformat” button, it will organize the Javascript code into a more structured layout.  Unfortunately this will not deobfuscate the code.  (See Fig 4.)

Fig. 4 Reformatted

Fig. 4 Reformatted

Detoxed Javascript Code

Fig. 5 Detoxed Javascript Code

Now lets make some sense of it!  Click on “Analyze” then scroll down to look at the deobfuscated javascript code (See Fig. 5).  It begins to make a little more sense right?  The code builds out a number of variables that are then put together further down via instructions.  What it eventually does is calls out to a URL using a GET request.  It downloads and runs an executable in the computer’s default TEMP directory (See Fig 6).

Fig 6. Instructions

Fig 6. Instructions

At this point you can examine other systems for possible infection by looking for the executable file in the temp directory.  You can also take the URL and add it to your web filter block list.  You should also check your email service to ensure you can block such files from making it to your users.  Google Apps does a pretty good job at blocking these types of messages.  Microsoft Exchange requires a bit of magic with Transport rules as it’s default Exchange Online Protection service doesn’t block .js files nor does it look inside zip files.  If you have some form of anti-spam or email gateway security solution in place, it should prevent these as well.  But if you are a small business, you may not be so lucky to have a budget for such things.  Good luck and happy hunting!!

Update 5/6/2017

As a follow-up to this post, you can also look at using a group policy to set the default application for javascript files.  Currently it is set to open with the Microsoft Windows Script Based Host (wscript.exe).  Set js files to open with Notepad and they won’t execute.  That being said, always verify that production applications are not utilizing local javascript or else you may have a bad day.  I have never seen anything in my travels that would justify such things but you never know.

Regarding the Dell Security Bug

First of all read up on the details over at Krebs On Security.  He has a pretty good explanation as to what Dell did as well as additional reference sites on the matter.  The Reddit discussion in the reference section has some good technical details.  But what does all this mean to the regular folks out there who buy their Dell laptops and like to enjoy their drink while using the free wi-fi at the local coffee shop?   Continue reading

Humans Need Not Apply

Watched this video this morning and it reminded me of a time when I went to visit a relative in the hospital.  I noticed the hallway had a number of small antennas sticking out of the ceiling every few feet.  I figured “Hey that’s some pretty extreme wi-fi coverage!”  A few minutes later an automated medicine cabinet came rolling down the hallway.  It stopped at every room and dispensed meds to the patients.  If you stood in front of it, it would wait for you to move before continuing.  And this was probably over 5 years ago!  So yes the age of automation is clearly underway.

So this post may not be very security focused, but it will apply to us just as much as it applies to the nurse or pharmacy tech that was replaced by that robot.  As costs go down to utilize automated bots (both software and hardware) so does the need for humans in those positions.  The video covers it well, so take the 15 minutes to watch.  In IT we are seeing this happen on a regular basis, hell some of us probably wrote some nifty scheduled tasks to free us up from doing all those repetitive sys admin jobs.  We may have even written someone out of a job by automating the management of users.  And we certainly should because that frees us up for concentrating on more long term goals, upgrade plans, new hardening techniques… etc.  Heck, back in the day, it would take us weeks to bring a new server online, fully patched, hardened and tested.  Now I can log into AWS or Azure and spin entire remote AD environment up in a couple hours (depending on specs).  That includes a site-to-site VPN with the virtual network I just setup as well.  All that could even be automated as all of it can be done through Powershell.  As for testing the systems, well that is also being automated more and more.  Netflix employs their Chaos Monkey to bring systems down during business hours so that they can make sure their apps continue running if such a thing happens when no one is around to fix.

So the days of clicking “Next.. Next.. Next… Finish” are over.  If you are not picking up a scripting language to help with your job or learning to make LEDs blink on the breadboard, you may become obsolete.  If you have kids, it would be wise to push them towards the math and sciences.  Get them Lego Mindstorm sets!  Show them Codecademy!  Bring them to a maker fair and let them see the cool things done with 3D printers, laser-cutters, and robots!  We once taught a bunch of kids how to pick locks, don’t worry we told their parents that locks don’t work anyway.

So the bots are coming, you could either be the one creating them or the one being replaced by them.  Either way, the years to come will be interesting!

RTFM – Installing the update doesn’t automatically fix the vulnerability

Recently I was going through my vulnerability scan report and noticed one of the top 5 plugins was in regards to MS15-011.  Reading through the report it mentioned that the patch KB3000483 was installed but UNC Hardened Access was not enabled via Group Policy.  After further reading of the KB article, I realized what needed to be done.  Microsoft was nice to give some recommendations and such.  So I enabled the UNC Hardened Access on the SYSVOL and NETLOGON shares for the domain.  I did not do it for the file shares as we tend to use multiple OS platforms.  Though I would recommend doing so if you are running in a single platform environment (All Windows).

Continue reading

“But I need have local admin to run this!”

March is finally here!  The walls of snow are melting down quickly here in New England.  I can finally see grass!  Well ok… it is more like torn up chunks of sod from completely missing the side walk with the snow blower, but it has remnants of grass.

During my hibernation, I remembered some conversations from the past.  Mainly they had to do with “discussions” with users about their needs on their systems.  They commonly revolved around the requirement of administrative rights on their local workstations.  Which of course lead them to believe their current user account was the one that needed those rights.  Well most of us in security, as well as many others in the Systems Admin side of things, know that this is bad and should never be granted without a really good reason.  But does this mean it isn’t possible to grant these users their wishes? Continue reading

Network Security Protections when not in the office…

So in a previous life, I worked for a large enterprise which had many laptop users and a good size remote workforce. When I first took my laptop home for the night, I realized that for one, I could connect to any wireless network… and two I was no longer behind my web filtering servers. This article reminded me on how often this issue is overlooked: Postal Service Suspends Telecommuting

Continue reading