Author Archives: Chris J

About Chris J

Chris J studies physical and information security. He started the Ann Arbor Chapter of TOOOL, attended Eastern Michigan University got a degree in Applied Information Assurance. Work involves Threat Intelligence.

Zero Day by Mark Russinovich and Howard Schmidt

Leave a reply

I recently finished reading Zero Day (Amazon affiliate link). Over all I liked the concept. The end was interesting but easy to see coming. The biggest issue I had with the book though was it came off under-researched when it came to the cultures.

The portrayal of foreign cultures in the book were very stereotypical of what we’ve seen from American propaganda, known as television and movies. It doesn’t fit with other books that I’ve read that have taken place in those cultures. Mostly they have been non-fiction and travel books.

Over all the story was pretty good, but the they were not as good as Daniel Saurez‘s books, I’m not sure if I’m going to get the book by Mark Russinovich yet.

I like the fact that we’re seeing more techno-thrillers coming on to the market, especially since they’re written by people that know the technology. They’re good reads, for general mass market reads. It also makes what we do accessible to people outside of our industry.

* Update 2024-10-05: changed to Amazon Affiliate Link, which I earn a commission from qualifying purchases.

knowing what your tools do

Leave a reply

When I changed my firewall rule policy, part the reason for doing it was because I was getting tired of seeing dovecot:auth failures in the logs. People around the world were brute forcing my mail server, and the rules were 100 lines long of just blocking. I had thought that they were coming from people hitting port 993 (IMAPS), and to a point there were. You can see below where it is dropping port 993 access attempts.

Continue reading

All the ip addresses that DenyHosts blocked

Leave a reply

One of the things I did after getting iptables tweaked, was to clear my /etc/hosts.deny file. About 99% of these were put there by DenyHosts. Which is a great little background daemon that looks for failed log in attempts over ssh and then blocks the attacker by adding them to the /etc/hosts.deny file.

Since I know some people are looking for these types of addresses for different reasons, and there are over 2300+ unique ones in the list, I shared it publicly. You can get the list at pastebin.

 

 

Firewalls and the default deny rule, does that make us bad?

Leave a reply

Over the last few weeks I’ve been thinking of redoing my iptables, but by putting in a default deny rule, does that make us bad netizens? By dropping everything that isn’t allowed, it actually makes it harder to fix the original problem. The fact that there are attacks to begin with, and the fact that boxes are compromised.

Over the last few months, since fixing the IMAPS part of my mail server, I noticed people hitting the server and failing to log in. These were not targeted attacks; they were automated bots, using the same users and possible passwords. I’d block them at the firewall but every day, there would be at least 2 new networks. Not all of them from overseas.

For historical reasons I take a stance of contacting the abuse email for North American companies, and some European ones. I found that the large Cable Company ISPs, usually turn out to be black holes. The smaller ones though actually reply back.

Last week I went through a week’s worth of logs, and out of the 47 ip addresses, there were about 30 networks. I actually sent 17 emails, and blocked only 13 networks. From that, 9 replied. Granted they were mostly the auto-replys, but I did have 2 that were interesting. One was from an ISP in England and they thanked me for letting them know. The other was an educational ISP in California. They replied back where they found the problem, and the IR procedures, with a thank you.

That worked because I wasn’t blocking the inbound connections, and letting other tools protect the server’s processes. However the iptable rules had become larger than I wanted to maintain (over 100) for inbound access.  So I re-wrote them using a default deny. I now state what on my network can be talked to, and in some cases by what networks. Everything else gets dropped and logged.

The down side to this is that while I can see the dropped connection attempts, I can’t see what the people are trying to do. Is it just a null hit, a failed loggin attempt, something else. I also can’t report it back to other interested parties. While I feel better about their failures, I realize that I’m a bad Netizen because I can’t contact their upstream, with logs showing the problem.

Yes, I know I could set up a honey pot system and fight for both the user and the internet that way, but it feels more like just being the complaint department than it does trying to solve things.

While I am going to keep using the default deny, because it’s easier to handle the rules on the firewall, I still don’t like that I’m walling myself off from the real problem, and not trying to fix underlying issue.

Over Thinking Problems

Leave a reply

I think one of the problems we may have in this industry is over thinking the problem, and doing more than is needed for the problem. For example, I upgraded my personal VPS server recently, the one that runs this site and Rats and Rogues. It required a reboot, but because I rarely reboot this box, I keep forgetting that iptables isn’t persistent. I usually remember and restart it fairly quickly when it reboots.

The night of the upgrade wasn’t much different. However I messed up the command, being a lazy admin I use the built in tools to do work for me. I love control-r and how it scrolls through your history based on a few characters you type. Well instead of iptables-restore < firewall.rulz I typed iptables-save > firewall.rulz. Yes, I overwrote my rules with nothing.

My very first thought was WOOHOO I get to do forensics on my live system. I went to twitter to brag, though I’m not sure if people realized that was the point. @secbuff asked why not restore from backup. He was right. The majority of the rules I have are for blocking ssh brute force attempts (the ones that make it past denyhosts), blocking mail relay attempts, and blocking user account enumeration. While playing forensics would be cool, this is a live host on the internet with services that do get attacked. It would have left the box exposed way to long to the internet, and was a case of over thinking the problem.

So I went grabbed a back up file. Instead of  uploading it though, I opened it in a text editor, hand sorted the rules by network number, and then pasted them in to the terminal window. I also finally dealt with that persistence issue too, we’ll see if iptables-persistence.dpkg worked right on the next reboot. Oh and since I add networks on a regular basis (when reviewing my logs) I wrote a small shell script to make two copies of the rules in different locations, with a spare backup.

Research Project I’m trying to get off the ground

Leave a reply

There is a project idea I’ve had for a few months now, tracking what happens to credit and debit cards that get posted to twitter. People are posting pictures of their cards to twitter. If I had to guess, because they are excited, want to show off, and think only their friends can read it.

Continue reading

My name is Chris J, and this is how I do OSINT.

2 Replies

I’ve always been a fan of Lifehacker’s How I Work series, while this isn’t for Lifehacker, this is my “How I do Open Source Intelligence”. Recently a friend called and asked how I tracked data when doing OSINT. These are the tools and processes I use. It’s the what works for me, and your mileage may vary.

The tools I use are a legal pad, a computer, a web browser, a personal wiki, a data analysis tool and depending on the work Tails and a SD card. 

Continue reading

Book Review: The Private Investigator’s Handbook

Leave a reply

I’ve just finished The Private Investigator Handbook: The Do-It-Yourself Guide to Protect Yourself, Get Justice, or Get Even by Chuck Chambers, P.I.  (Amazon affiliate link).

The book’s subtitle is the key. The Do-It-Yourself Guide… I’ve been thinking of getting my P.I. License, it’s required to do Digital Forensics in the state I live in. I figured if I was going to do that, it would probably be a good idea to read up on the subject.

This book isn’t a how to be a private investigator, it is a book about doing a lot of the leg work that the P.I. is going to charge lots of money for, yourself before hiring a pro. Some of it, you may get lucky and working with your lawyer not need a Private Investigator for. For the most part I was disappointed with the book.

My disappointment stemmed in part about the book not being what I was expecting. The first several chapters on finding and hiding assets, creating case files, social engineering, and the like, I think the areas are covered better in other books (See Michael Bazzell).

However, the book really comes through in the last couple of chapters and the appendixes. Chapters Seven and Eight are Surveillance and Counter Surveillance. Again, while I think other books cover this better (see Antonio Mendez), this one breaks it down so anyone can learn it. Where as the other books you have to think about what they’re telling you.

Lastly the chapter on missing persons was pretty good as well. There were things he didn’t go in to deep details on, but there is enough information there to get a good jump on finding someone that is missing.

Over all I’d say this a a three out of five star book. As I said some of the topics covered are covered better in other books. There are several times in each chapter that Mr. Chambers is reminding you he’s not showing you everything, and you need to hire a professional. You can just save yourself some time and money first.

* Update 2024-10-05: changed to Amazon Affiliate Link, which I earn a commission from qualifying purchases.