So I’m using the Raspberry Pi 2 and Kali 2 for this project so far. As I said last time, I had to expand the image to use the full disk. I have a script for that now. I was actually trying to script the whole deployment. These scrips can be found on my WIDS github repository. But fair warning they are still a work in process.
Moving WIDs to Raspi2.
So I tried to do this back in July but got sick. My next talk is at A2Y.asm on Sept 12, and rebuilding all the Pi2 again with Kali 2.0.1. I have litteraly spent most of the day trying to expand the root directory.
There is a tool called rpi-wiggle, that sounded really cool, but it hasn’t been updated in 3 years. It also didn’t work for the pi2 running Kali 2.0.1. After lots of searching, I found a forum post saying talking about it.
After running apt-get install triggerhappy lau5.1 (from Kali repos) and getting the Debian raspi-config file from Debian. It says it worked. I’m waiting for the reboot to know for sure.
And it worked. from console it says it has full space.
Now if I was making anything other than a drone, I’d run apt-get install kali-linux-full to get the whole Kali experience instead of the light version. But I’m making a drone. So here is what needs to be worked on before I start making images:
- install: Kismet, NTP.
- boot to cli instead of gui
- change the root password
- configure kismet
- Clone
- configure static ip, and daemon mode.
normally I’d disable ipv6, still might. but the ipv4 and ipv6 stacks are working well together right now. In the past they haven’t.
One way to try and up the game
Yesterday, I gave my opinion on the how I think we are missing an opportunity. Before it even went live Monday (I wrote it Sunday, and I’m writing this Monday night), a conversation happened. The main point is that Attackers are working together so why are the defenders all playing the Lone Ranger / Zorro by going it alone?
I also had quick twitter conversations with Ch3ryl B1sw4s and Timeless Prototype. One was related to yesterday’s post, one wasn’t. But here are some thoughts to try and up the game on the defense side. I’m not an expert, I’m just some guy working on a Master’s on Cybersecurity to go with my BS in Information Assurance.
The goals:
- Have a way for people who work in SOCs, on CIRT teams, Security, regardless of team size, even the guy who has to do it all at the small companies to have a group of peers who can be contacted and discuss things with.
- Keep the adversarial attackers out, but allow pen-testers and others access too if they want to join.
- Provide enough information to be helpful to each other without putting our companies at risk.
Step 1. Create a Security Operations based Web of Trust
We need a way to validate people. So lets say I’m on a CIRT, I can vouch for all my CIRT members. But if I have been interviewed by another CIRT I can vouch for the members that interviewed me there. That means, I can get those two groups talking and at some point, like a con they can meet.
Step 2. Secure communication channels.
Different options for communication. Out of band forums, chat (IRC), OTR IM, or whatever people think would be the best way.
This is multi-fold.
One it gives us a neutral ground to talk, and putting a layer between our conversations and our employers. For protection, obfuscation is not security but having a group invites attackers. Keep the company names out, and makes it harder to attack them because of our associations. It’s not to hide things from the company.
Two, this way if we have to contact another team with “Hey I’m seeing a lot Viagra ads coming from your domain”, I don’t have to worry about intercept because the mail server or mail dns is compromised.
Step 3. Share sanitized knowledge.
Note I said sanitized. This should make the stake holders at our employers a little more relaxed. They know we are sharing Indicators of Compromise, or hey I noticed this strange thing anyone else seeing it?
It would also be nice if someone finds malware aimed at another company to share that, instead of saying yep, not my company, without having to say all they did to find it. Just say “Hey I found this going after X, anyone else see it on their network. How about X, do you know your a target?
I’m sure this could be fleshed out more. I’m sure there are things I’m missing. I know it’s partly re-inventing the wheel, but really twitter is faster than Infragard on attacks, but with twitter both sides see them a the same time, while things get lost in the noise. I know HTCIA is a thing, but is it’s mission the same?
My thoughts on Ashley Madison Dumps: another missed chance to up the IR game
I don’t care what people want to do in there spare time. I don’t care about the teaser dump, I don’t care about the 9 gig dump, I don’t care about the 20 gig dump, and I don’t care about the 300 gigs that Impact Team claims to have.
However as someone who’s job it is to defend the company, a member of the Blue Team, there are responsibilities I have to the company. Instead of DMCA take down notices, Avid Life or at least the Incident Response team, should be working with any non-webmail based domain. So if a company’s domain shows up in the list, they should contact that company’s CIRT team. This allows the CIRT to defend against any possible attacks.
Now granted that the attacks the CIRTs are most likely to see are Spear Phishing and account brute force attacks. It still make sense to share the relevant information. I believe the same about the Anthem and OPM breaches. In all these cases, these have been missed opportunities.
Based on what I’ve done so far, what I’ve sat through in presentations, and what I’ve learned in school not enough of us are working together. Company CIRTs stop at the perimeter when they should probably be sharing information. I’ve seen too many in the industry saying “that’s their problem, let them find it”. Meanwhile how many times have we as an industry seen news stories saying Company X didn’t know they were breached until they were pinged by the U.S. Gov?
I know that Scott Roberts at his Bsides Columbus talk said there were Out of Band forums, and it sounded like the members were from multiple CIRTs, that some people use. But what is the usage like compared to all the CIRTs / Security Teams / Sole Admin supporting the whole company, that could use that kind of forum for help?
Should the CIRT team’s responsibility stop at the perimeter, or should all the teams out there have ways to work together through a web of trust to make attacking harder?
Are lost phone tools worth it?
*See edits at bottom.
I don’t know if I’ll be able to answer the question. I’ve been using Android Lost and Prey for years. They’ed worked OK in the past, but when I “lost” my phone recently neither tool worked.
To be honest this is the second time these tools failed.
We need to fix how we do configuration files
I’ve been in the industry a while. I learned Unix and Linux administration in the mid to late 90s. I remember the old monolithic configurations, and I’ve seen the overly complex modular configurations for things we have now.
Currently trying to read
Having such a hard time finding time to read. Here is my current list:
- Blue Team Handbook: Incident Response Edition (for work)
- Counter Hack Reloaded (for work)
- Wireless Reconnaissance in Penetration Testing (for my raspberry pi projects)
- Kathy Reichs Bones of the Lost
- Dresden: Summer Knight
- Dresden: Death Masks
- Dresden: Blood Rites
- Google Earth Forensics (needs to be read while at pc with Google Earth, hands on)
- Mass Killers (need to finish)
- Rise of the Warrior cop (need to finish)
- The Hobbyist Guide to the RTL-SDR (Needs to be read at pc, with SDR, hands on)
- Kathy Reichs short story Bones in her Pocket
- Incident Response & Computer Forensics
- Hacker’s Challenge 1: Incident Response
- The 30th edition, illustrated Princess Bride (birthday present)
And of course, classes start soon, which means even less time to read. The novels I could probably do on books on audio with my current drive, but I’m not a fan of audio books, I zone them out, and miss too much.
Of the above list, the ones with book marks in them: Mass Killers, Blue Team Handbook, Google Earth Forensics, Rise of the Warrior Cop, and The Hobbyist’s guide to RTL-SDR. Counter Hack should be in that list, but lost my other copy, bought 2nd starting fresh.
Book Review: Getting An Information Security Job for Dummies
First off, Getting an Information Job for Dummies took way to long for me to read. But that’s because of other commitments. I got the book in May, when a lot of people in the echo chamber were trashing it. I was also looking for advantages in trying to find a new job that went with my B.S. in Information Assurance and after 6 months was feeling desperate.
First, the book isn’t as good as it could have been. Second, it wasn’t as bad as people were making it out to be on Twitter. Third, the author uses too much of his own personal experience in it (something I’m guilty of with this blog). Fourth, he kept equating lock picking to crime. Which I didn’t like at all and being from Washington I thought he’d do better. They are legal there.
Trade School, Degree, or something else completely?
Last Thursday I listened to Risky Business 377. The part that really got me engaged was the section with the sponsor, RSA. They were talking about how they are working with schools to build educational SOCs.
What they were talking about though, and I’m paraphrasing from my point of view, was making Universities less theory like and more Trade school like. For example why not add a check point certification class to get students out with some experience and a certification after 3 months of class?
New Job and stuff
So for those that hadn’t heard, I started a new job about a month ago. I’m no longer doing firewall audits, secure network design, and mainframe web emulation. I was kind of sad to leave some of the projects I was working on un-finished, but that was the nature of the beast.
So now I’m working in a Security Operation Center, as a CIRT Event Analyst (or at least that was the job description they sent me after I interviewed of what the job was going to be).
The downside is I now have a 2+ hour daily commute. It should take 45 minutes or less, but well we only have 2 seasons. Winter and Road Construction. It also means I have less time to work on things I want to. Reading and projects have been affected.
I’ve also been less than healthy lately. I got really sick before Bsides Detroit. The night before the con, I was at the hospital. I also ended up missing the con because of being sick. A fever for a week, and everything spinning regardless if I was sitting standing or laying down. Turns out I had an inner ear infection. Got drugs that helped but didn’t make me better. I wended up running a fever for 3 weeks. Now I just have this annoying cough.