Tag Archives: incident repsonse

Book Review: The Complete Guide to Shodan

I’ve stumbled around with Shodan.io for a while now. It’s a great tool, but using it effectively has always eluded me. John Matherly has given me some great advice on twitter, and I like Daniel Miessler’s Shodan Primer. But I never really find the information I need at the time.

While I know it is great to find webcams and spying Super Gnomes, that is just something I don’t use Shodan for. A lot of the reason I use Shodan lately is for work. Usually someone in management asks will if anyone knows what Shodan knows about the company. Which of our systems are listed on there.

Today while stumbling around trying to look up the company name and the netblocks, and using Dan’s cheatsheet (linked above), I noticed a new link on the page. Book.

This link goes to Lean Pub’s “The Complete Guide to Shodan” by John Matherly. It is a pay what you want book. They suggest just under $5.00 USD, for the 60 page booklet. I’m saying it’s worth more than that. I paid $10.00, which I still think is too low for this book.

The book can be delivered to your Kindle or downloaded as a pdf, an Epub, or Mobi file. I grabbed the PDF and Kindle copies of the file (too small to read on my phone and never figured out how to get it to show up in the Kindle Cloud reader).

This book is divided up in to Web Interface, External Tools (like the linux command line), Developer API, Industrial Control Systems, Appendices, and Exercise Solution.

There are exercises at the end of the Web Interface, External Tools, and API sections. Not all of them worked the way they were described in the book. For example I couldn’t find the Rastalvskarn Powerplant, even though it shows up with the link in the solution section.

I’ve read some documents on the API and struggled to get them to work. After reading the book, while I still have some questions, I know I can write the Network Alert that management wants.

Get this book, it’s worth more than anything you’ll pay for it. While it is only just over 60 pages, the content is great! Especially especially the Filter list in Appendix B.

p.s. It is worth getting an account, and paying for access.

 

Business Email Compromise

Last week or so, I read the Symantec Security Response blog, talking about Business Email Compromise. Short version it talks about campaigns targeting C-level employees to try and do wire transfers. There were 2 type, one is the CEO emailing another C-level because he’s stuck in meetings and needs a wire transfer. The other version is an acquisition email, that hasn’t been announced yet.

The blog linked above has screen shot examples.

At my day job, I do occasionally work on Phishing emails. While the Symantec article was good, it is missing that the example emails are no longer going to the C-levels. While I haven’t seen the acquisition email yet, I have seen lots of the person in the meeting email going around.

It isn’t just at the C-levels. I’m seeing emails claiming to be from VPs and Directors, to underlings using the same comment about being tied up in meetings and needing the wire transfer done. Where I work the C-levels are good at catching them and reporting to them. The lower levels however have been fruitful targets.  Not realizing it is a phishing attempt and trying to comply.

We need to warn the lower level people in positions to send money.

New and Improved WiFi Intrusion Detection System. Pi 2.

So my last post I was fighting the Raspberry Pi 2, with Kali Linux 2.0.1, when it came to starting kistmet_drone on boot. Ian had a work around, but it wasn’t what I wanted. I wanted the built in tools to do their job. Well it turns out it’s a SystemD problem. I spent probably about 12 hours bashing my head against it, making changes and trying things.

Finally, I got smart with my Google searching, and found a slightly better way, but still didn’t want to call an external shell script. Then I spent time smacking my head on the desk. SSHD works, and starts by systemd, why not look at it’s config. Seriously the better you are at something, the less you think of the simple answers that made you good to start with.

2 new lines. One made SystemD wait until after networking was up. The second was a strange sshd -D option. man ssh. Oh doesn’t run ssh as a daemon…

remove –daemonize from Kismet… It worked.

SO….

 

Now to get everything ready before I leave for GrrCon in 17 hours, I’ll be presenting Saturday last I heard.

More on moving WIDS to the Raspberry Pi 2.

So I’m using the Raspberry Pi 2 and Kali 2 for this project so far. As I said last time, I had to expand the image to use the full disk. I have a script for that now. I was actually trying to script the whole deployment. These scrips can be found on my WIDS github repository. But fair warning they are still a work in process.

Continue reading

One way to try and up the game

Yesterday, I gave my opinion on the how I think we are missing an opportunity. Before it even went live Monday (I wrote it Sunday, and I’m writing this Monday night), a conversation happened. The main point is that Attackers are working together so why are the defenders all playing the Lone Ranger / Zorro by going it alone?

I also had quick twitter conversations with Ch3ryl B1sw4s and Timeless Prototype. One was related to yesterday’s post, one wasn’t. But here are some thoughts to try and up the game on the defense side. I’m not an expert, I’m just some guy working on a Master’s on Cybersecurity to go with my BS in Information Assurance.

The goals:

  1. Have a way for people who work in SOCs, on CIRT teams, Security, regardless of team size, even the guy who has to do it all at the small companies to have a group of peers who can be contacted and discuss things with.
  2. Keep the adversarial attackers out, but allow pen-testers and others access too if they want to join.
  3. Provide enough information to be helpful to each other without putting our companies at risk.

Step 1. Create a Security Operations based Web of Trust

We need a way to validate people. So lets say I’m on a CIRT, I can vouch for all my CIRT members. But if I have been interviewed by another CIRT I can vouch for the members that interviewed me there. That means, I can get those two groups talking and at some point, like a con they can meet.

Step 2. Secure communication channels.

Different options for communication. Out of band forums, chat (IRC), OTR IM, or whatever people think would be the best way.

This is multi-fold.

One it gives us a neutral ground to talk, and putting a layer between our conversations and our employers. For protection, obfuscation is not security but having a group invites attackers. Keep the company names out, and makes it harder to attack them because of our associations. It’s not to hide things from the company.

Two, this way if we have to contact another team with “Hey I’m seeing a lot Viagra ads coming from your domain”, I don’t have to worry about intercept because the mail server or mail dns is compromised.

Step 3. Share sanitized knowledge.

Note I said sanitized. This should make the stake holders at our employers a little more relaxed. They know we are sharing Indicators of Compromise, or hey I noticed this strange thing anyone else seeing it?

It would also be nice if someone finds malware aimed at another company to share that, instead of saying yep, not my company, without having to say all they did to find it. Just say “Hey I found this going after X, anyone else see it on their network. How about X, do you know your a target?

I’m sure this could be fleshed out more. I’m sure there are things I’m missing. I know it’s partly re-inventing the wheel, but really twitter is faster than Infragard on attacks, but with twitter both sides see them a the same time, while things get lost in the noise. I know HTCIA is a thing, but is it’s mission the same?

 

My thoughts on Ashley Madison Dumps: another missed chance to up the IR game

I don’t care what people want to do in there spare time. I don’t care about the teaser dump, I don’t care about the 9 gig dump, I don’t care about the 20 gig dump, and I don’t care about the 300 gigs that Impact Team claims to have.

However as someone who’s job it is to defend the company, a member of the Blue Team, there are responsibilities I have to the company. Instead of DMCA take down notices, Avid Life or at least the Incident Response team, should be working with any non-webmail based domain. So if a company’s domain shows up in the list, they should contact that company’s CIRT team. This allows the CIRT to defend against any possible attacks.

Now granted that the attacks the CIRTs are most likely to see are Spear Phishing and account brute force attacks. It still make sense to share the relevant information. I believe the same about the Anthem and OPM breaches. In all these cases, these have been missed opportunities.

Based on what I’ve done so far, what I’ve sat through in presentations, and what I’ve learned in school not enough of us are working together. Company CIRTs stop at the perimeter when they should probably be sharing information. I’ve seen too many in the industry saying “that’s their problem, let them find it”. Meanwhile how many times have we as an industry seen news stories saying Company X didn’t know they were breached until they were pinged by the U.S. Gov?

I know that Scott Roberts at his Bsides Columbus talk said there were Out of Band forums, and it sounded like the members were from multiple CIRTs, that some people use. But what is the usage like compared to all the CIRTs / Security Teams / Sole Admin supporting the whole company, that could use that kind of forum for help?

Should the CIRT team’s responsibility stop at the perimeter, or should all the teams out there have ways to work together through a web of trust to make attacking harder?

Updating talk

For Bsides, as mentioned earlier, I’m making some changes for the talk.

For Bsides Detroit I’m swapping out the original Raspberry Pi B devices from the project for the Raspberry Pi 2 B.

The first time I did this, with the RPi-B, I made one image got it working and then cloned it to the others. It caused minor problems with the wireless card naming. I also still had to touch them all to change names, static ip addresses, and the kismet configs.

This week there was a new version of Kali out for the Raspberry Pi 2 when I checked. So I downloaded it, patched it and installed the software. Then created the clone image.

I am going to have to touch each one anyway so figure I will just get the one image with the software, and then load each one and configure it.

Bsides Detroit 2015

The last schedule I have seen has me speaking at 4pm on Saturday the 18th at Bsides Detroit.

I know it’s a surprise to me to.

Talk is similar to the one I gave at Circle City Con on Raspberry Pi and Wifi detection.

New this talk: Looking at the clients, email alerts (I hope) and all on Raspberry Pi 2 (again I hope).

Designing a new home lab

I used to have a home lab of 3 cisco routers, and 3 cisco switches. That was for my CCNA training. Problem was, they were so old, they were not worth it. The lab also had 2 Intel 32-bit PC towers and a Sun Ultra 10. The Sun box was to get the Sun certification, but never got around to it. That isn’t to say that the lab wasn’t used. Just not used for the reasons I originally bought the components for.

Now, since I graduated and I have money to spend on building a new lab, I’m looking at getting something new set up. After watching Johnny X(m4s) and Eve Adams recorded talk from Derbycon. I decided on the following design.

Lab Design v1

So this will be on a separate internet connection from my home network. That means getting a second line to the house, but it doesn’t have to be the fastest line in the world.

The hope is to have the PFSense box, the Security Onion Box, and the Vmware ESXi box all running on Micorservers. The price for the Lenovo ones are decent.

I want a Cisco 3560g switch for Gig out all the ports, plus the layer 2 / 3 routing. Again the price isn’t too bad, about the same as the Microsevers. Lastly if I decide to go for the CCNA again, it should be useful.

The wireless access point was chosen from the Offensive Security WiFu class hardware list. I could use my old Linksys WRT54GL with dd-rwt on it. But it cant’ do N. Granted it looks like the Off-Sec recommended ones are only half N.

Lastly, it would be nice to have a peg board with all my Raspberry Pi devices attached to it. Requires being easy to remove them, but not a big issue. This would give me a place to have them while working and store them when not in use. If I can get POE on the 3560g, that means I can get a POE splitter and adapter for each Raspberry Pi, and don’t have to worry about power there either.

The laptop would be as needed device. I could use my current one or buy one to dedicate to the lab. Mainly it’s there for user interface purposes than anything else.

The only downside, even though I’m not paying for college classes out of pocket any more, is that it will take a while to build this lab. I’m going to have to piece it together a little at a time.

WordPress and some security

I was recently listening to Paul’s Security Weekly episode 366: How Security Weekly got defaced, and started thinking about my own security posture around my WordPress sites. When I first created The Rats and Rogues Podcast site, I read everything I could find and on WordPress security. There wasn’t much. Later when I created this site, I still wasn’t impressed.

Continue reading