I've spent the last few months coming to terms with the fact I have anxiety. My wife had brought it up a few times, but things really came to a head as the pandemic pandemonium hit the Upstate.
The last year has seen a lot of changes both personally and professionally. Finally I have gotten to a point where my routine allows me to focus on more than just completing the next task.
I pulled the plug on my email server this morning…and I should have done it months ago. I decided to abandon my self-hosting plans after just under a year. Why? As I mentioned in my original post, hosting web and email servers can be an exercise in masochism. It is also not an endeavor for those with a lack of spare time. A great deal has changed in my personal and professional life over the last year, and dealing with all of the extra technical work did not appeal to me.
This edition of “Grey Hat Hacking” builds upon the previous four editions by providing updated and expanded information on several key aspects of ethical hacking.
Endpoint security tools can be a real pain when trying to get accurate vulnerability scans. Some tools go so far as to kill off a generic Nessus scan. Each has it’s own bypass mechanism.
After several weeks of nothing happening malware-related at work, my phone pinged and alerted me to someone caught red-handed clicking on something they shouldn’t have.
Exchange 2013 or later fails to properly authenticate and validate certain requests, allowing a remote attacker with access to an Exchange mailbox to gain full Domain Administrative privileges.
Reporting might sound like an odd place to start a pentest. When most well-known pentesters say that reporting is one of the most important parts of the test, you tend to sit up and take notice.
In my never-ending quest to learn more about hacking in general, I’ve decided to take on a personal project and bone up on the skills required for penetration testing.
I suggest putting these in your incoming mail filters to get alerts for possible ransom attacks. The recent spat of email-based bomb threats all contained wallet addresses.
Here is a summary of some secure file sharing tips culled from Twitter thread over the weekend.
I was given the opportunity to run some tests against the wireless infrastructure at my office. The actual scenario is to deploy a rogue access point and start gathering intel on the organization. But I decided to take this a step further and do some pre-work to make a convincing rogue AP. What follows is my initial framework that I developed researching how to crack a WPA/WPA2 pre-shared key network. I’ll revisit this and improve on it as I gain more experience.
Here are some tips for unmasking a site hosted behind CloudFlare. YMMV as I have not yet tested these.
Here’s a list of security conferences and events within a few hours drive of Greenville, SC. I am amazed at the number of B-Sides in the area after living at least 6 hours away from EVERYTHING for so long.
The great Google purge continues with two minor steps forward.
November is Critical Infrastructure Security & Resilience Month - so what does that mean to you? To me - it means make a difference where you can.
The FSSCC released a new tool that hopes to reduce the number of hours spent answering redundant security control questions. Like the ACAT tool, the new Cybersecurity Profile attempts to determine an institutions risk impact level. The main difference is the ACAT attempts to define the scale of the risk based on organization size, whereas the Cybersecurity Profile attempts to define the impact of the institution on everyone else. Much like how NERC attempts to establish a utility’s impact on the greater grid before applying controls, the FSSCC’s modifies some controls based on the impact assessment results.
It’s always good to know where random credit card numbers live on your network, even if PCI compliance isn’t a concern for you. Any unencrypted credit card information should be purged from the network to prevent accidental disclosure. I have used grep and Nessus in the past for these audits, but both where lacking in their functionality. Fortunately, I recently stumbled across the PANhunt repo on GitHub.
Here are a couple tips courtesy @HanseSecure for using NMAP and avoiding firewalls.
I know I’ve said I do not like pain…but I must be a massicist for moving almost everything I do into something self-hosted. Why on earth would anyone do this to themselves?
This book contains a number of valueable concepts for those new to IT as well as those who have been around for a while. While the book is somewhat dated technically (circa 2005), the advice is not. Topics range from how to deal with your boss, customers, managing email, automation, and eliminating busy work. It’s a quick read and definately worth a look.
So I’ve finally grown tired of beating my head against the WordPress wall. I am sick and tired of all of the routine overhead involved with WordPress. I get spastic every time I see another Russian/Chinese/Viagra spam comment bot, and I get a migrane every time mod_security shits a fit and blocks all of the back-end PHP. Fire erupts from my ears and obscenities from my mouth. The whole routine just sucks time away from actually doing work and generating content. Combine that with the increased attack surface and inherent difficulties with DR, it’s time to go. I want something that relatively simple, not much harder than actually writing the content, and doesn’t require me to learn an entirely new markdown langauge.
This is a work-in-progress. Most of what is contained here were originally culled from my experience over the years. I have slowly been going back and trying to find backup documentation, validate assumptions, and ensure I’m up to date. The ‘checklist’ is vendor-agnostic at this point and geared more towards the protocols in general, with a focus on security and resiliency.
The FFIEC’s Cybersecurity Assessment Tool is an excellent tool to not only determine your organization’s security maturity level but also help develop a roadmap for increasing overall security levels.
Echo in Ramadi: The Firsthand Story of US Marines in Iraq’s Deadliest City by Scott A. Huesing
Echo In Ramadi details the hell on earth faced by Echo Company, Second Battalion, Fourth Marine Regiment during 2006. This book is very dear to me as this was my brother’s (Cpl Dustin J Libby) final tour.
A great deal has changed in the last two months for the better. My family has completed our move to the South Carolina and we are loving all of it. There is still a good amount of adjustment to do, but we are getting by. My only regret at this point is not being able to get my boat in the water just yet.
What did I learn by going thru a NERC CIP audit? A lot…
ISC2 has finally formally approved my CISSP certification. One major goal for the year has been completed…now for all the rest!
It looks like big telco is trying to break up wholesale subsidies, according to an article in ArsTechnica.
I’ve made a great deal of progress with my personal goals over the last few months. My CISSP is currently in review waiting for final approval, and my GPEN is in progress. I’ve even managed to post semi-regular blog posts.
We are steadily making progress on our family goals as well. A child enrolled in college, one property sold, another on the market, and an offer placed on our new property. If things keep moving at this pace, 2018 is going to be a great year.
More to come!
One of my biggest annoyances with my regular Nessus scans are the continuous medium risks related to weak SSL ciphers. Nartac Software created a simple tool to help admins fix these issues: ISSCrypto. Simply download the tool, then run it as an administrator on your Windows box. I recommend you take the “Best Practices” template and apply those settings first. Always back up your current settings before changing anything!
I became aware yesterday that several sources are reporting Energy Services Group was “hacked” or “attacked.” There’s been a little saber rattling about hackers getting control of the US energy markets. Being that I’ve had some dealings with ESG over the years, I thought I might speak to this.
A few months ago, I had moved almost all of my storage into Google Drive, OneDrive, or iCloud depending on the usage. This allowed me to turn down my old Dell FreeNAS server in an attempt to save on my electric bill. I’ve never been completely on-board with this model, even though I know I’m keeping some physical backups for emergencies. It could be that I spend too much time listening to Michael Bazzell and Justin Carroll or the control freak in me, but not having control of my data really bugs me.
Folks - it’s time to tick everyone off with network maintenance windows! Cisco PSIRT released 30 vulnerabilities in their router firmware across multiple versions of IOS and IOS EX. Three critical vulnerabilities include one hard-coded credential affecting all IOS XE routers running IOS XE v16, and two which affect v15 under certain conditions. Fifteen high risk vulnerabilities run the gamut from denial of service, buffer overflow, and privileged escalation.
The draft for this project has changed three times since starting - mostly due to resource constraints on my end. I’ve bounced between hardware, hypervisors, and focus but I’ve settled on an approach. My immediate needs outweighed the need for a full VMWare stack. What I really needed was a FreeNAS replacement, and after trying a few different options I’ve ended up right back on FreeNAS 11. This platform will support most of my storage, media, and VM needs for a year or so. It will also support several options for backing up and securing my data, allowing me to get off the cloud as much as possible.
TCP and UDP are two very different protocols. I’ve spent a fair amount of time over the years explaining these two issues to our power engineers and technicians. What better topic to post here.
Here’s a Splunk query to list any changes to privileged Active Directory groups:
I’ve decided that one of my new habits is to keep my social media footprint to a bare minimum. Listening to the newly discovered Complete Privacy and Security podcast has definitively changed my mind on how I handle my opsec.
I live in far Northern Maine - past the end of I-95. I would not have been able to earn my BS or MS degree without reliable internet at an acceptable cost.
Some sources for incident response playbooks for those who are interested:
I’ve been toying with getting this certificate for a while, but now I see this seems to be a golden ticket to get past the HR filters at larger companies. The cert demonstrates a broad knowledge of the overall security landscape and appears to be best suited to management types (queue pointy haired boss).
After a couple hours of boredom waiting for a conference to start, I decided to fire up Wireshark and see what I could see across the wireless. I was greeted with the first few packets appearing to be my machine reaching out to random domains on the internet (see below). Something was attempting to lookup random hostnames on every domain in my search list. This freaked me out more than just a little. Was my machine infected with malware randomly trying to call home?
My family is approaching a major life crossroad: My stepson will graduate from high school next year and heading off to college.
After a week of being very busy with other things, I wanted to take a few minutes and check on my blog only to be greeted by “Site cannot be reached.” SSH’ing into the site resulted in a similar response. So what happened?
Equifax lost over 140 million customer’s personal information during a recent breach. 44% of Americans just lost control over their social security, drivers license, and credit card numbers along with their names, birth date, addresses…basically everything required to start building false identities and robbing them blind.
I’ve finally gone pro! Both my previous blogs have been migrated over to this new site running my own private domain. The site is still in flux at the moment, but I’m hoping to grow it as time goes on.
Why does everyone in security keep saying they get all their news off Twitter? Am I just old school for wanting my RSS feeds and podcasts?
Ever need access to your home network, but you are somewhat locked into the Cisco AnyConnect client for some reason? OpenConnect Server is a great alternative to OpenVPN for these situations, and the OpenConnect client is commonly used on Linux distros to connect to Cisco AnyConnect servers. In my case, I use a combination of Windows, Mac, and Linux some of which are rather locked down.
Isn’t it funny how most crises don’t arise from just one bad event happening? Most crises arise from a long history of small, seemingly good decisions which weaken what used to be a resilient system. While all of those people walk around congratulating each other on cost and time savings, a small few are trying desperately to raise alarms. Those small few become cast as neigh sayers, the enemies of progress. Or, as with my personal situation, specifically ask to no longer be responsible for the resulting mess.
As I sit here in blustery Boston taking a break from SecureWorld for a bit, I’m actually brought back to some of the talks given at other conferences this year. I’ve been going over some of the recent talks at RSA and Shmoocon covering ICS security and frankly, I’m not as impressed as I thought. Sitting where I do in the industry, I see plenty of cyber and physical risks to the electric utility industry that should be addressed. Waving them off as being less important than squirrels isn’t doing the industry any favors. Now every utility and generation executive gets to wave that article around in the faces of their security team as an excuse to cut their desperately needed budget.
Rolling out new Ubuntu servers in a heavily MS infrastructure is always a pain. PowerBroker Identity Services from Beyond Trust makes like a bit easier by allowing Active Directory-based authentication in a straightforward package.
2016 has been a year full of breaches and a year full of passwords I’ve had to change. One resolution I’ve made in 2017 is to get away from using any multi-account passwords combinations, which means I’ve got to go full tilt into a password manager.
If the guys a Red Tiger Security wanted to kick my brain into black hat mode - they succeeded! I’ve just gotten back from a 5-day ‘boot camp’ style SCADA security class hosted by SANS in Houston, TX.
Here’s a quick fix when RIS tells you “the computer does not have enough disk space on the selected partition.
I’ve got a couple of remote users who report not having any new email since sometime in 2005. These guys don’t sign on to the computers all that often, so I suspect Outlook didn’t automagically change their mailbox settings when I moved them to our new Exchange server back in 2005. Typically, I would do a remote assistance session with the users while logged in. However, these guys aren’t in the office very much and when they are I’m never at my desk. So I decided to try a new trick - and hopefully it works.
While I love OWA, I despise the IISADMPWD utilities used for password management in IIS and OWA. While we’ve had problems with some of our mail-only users changing their password in OWA for months, it hasn’t been a priority to get it fixed.
Symptom: Computer “locked up”, SPOOLSV.EXE using 100% CPU.
I’ve been building serveral small test servers and workstations, but I ran into a Windows Update error 80072EE2 putting a test server on my production network.
Ever have one of those days? Among all the random things the corporate beast threw at me, I encountered a wonderful WMI error generated by a GPO refresh.
After a few failed starts getting Java to update via WSUS Package Publisher, I’ve taken one more try. Here are the steps I used to successfully deploy Java 6 update 115. The process should work for any Java version.
Tech support phone scams are a few years old, but still fairly common. If someone calls you claiming to be from Microsoft (or some other tech company) wanting to connect to your computer to fix something, hang up.
In case you haven’t heard, many Drupal hosting providers and users dropped the ball on getting their systems patched. Tripwire reports automated scans started compromising sites just hours after the most recent patch announcement. The lesson here: Pay attention to your installed products, especially the internet exposed ones. Attackers started hitting our systems for Shellshock a few hours after I learned of it, and luckily I read the article just after it was posted. You need to do you base level security as always, but patching is a never ending cycle. You need to stay on top of it.
Microsoft releases an advisory and fix-it tool to disable SSL3 in Internet Explorer, recommends SSL 3 is disabled on all systems. It appears they are also disabling SSL3 on all their hosted internet services. I recommend we all do likewise.
If you subscribe to the InfoSecNews mailing list, as I have for several years, you know they provide valuable content. If you don’t, wander over to http://www.infosecnews.org/ and take a look at their content.
Join me in donating a $1 to help support their efforts! It’s all secured by PayPal.
Thanks for the awesome effort guys!
FFTF’s Net neutrality campaign against big media appears to be paying off - according to them. As a collective group, we “The Internet” have fought off corporate mongers before. Can we do it again and permanently institute fair bandwidth allocation for all? Can we prevent big media from buying their way into first place across the internet, forcing everyone else into the background?
After a long hiatus, I’m finally going to post a blog entry! Yeah me!
Just when you were running around looking for something…ANYTHING…to do, three major IT vendors release a crapton of patches.
Just came across the new zero-day in Windows which affects all versions. The patch should be available today under MS14-060, but I haven’t seen it yet to link it. It’s also not showing in WSUS.
Boredom and too many “junk” computers scattered around my home finally congealed into a small-scale IDS system. I’ve been toying with the idea of setting up Suricata to see how it compares to Snort, but I wanted to prototype a scalable multi-node system. I’ve done this in the past, but it’s been several years and ran Snort/Barnyard/ACID. So this isn’t a new idea, but I’m thinking about scaling out more with SSH-tunnels between multiple “scanners” and the “mothership.” Long-term the nodes would be all-in-one, low footprint plug-and-play units.
Nessus just released a plugin to scan for the lastest Cisco ASA vulnerabilities. I haven’t yet heard of any IDS rules for this. I also have yet to try the plugin.
Looks like cybercrooks planted malware on Dairy Queen and Kmart’s point of sale systems. Kmart customers are at risk of having their cards clone, but the company assured customers no personal information was at risk. Dairy Queen did not specify what data was impacted specifically, but did publish a list of affected stores.
Would chip & pin card tech mitigate these attacks?
Microsoft release the advanced notification today for October 2014, which includes three critical vulnerabilities for Windows, Internet Explorer and .NET. Other patches for Microsoft Office and MSDN will be released as well. Brace for impact.
Two methods, which I’m posting here for my own sanity next time I need them:
I’ve used the init string method a few times without bothering to check the recovery console. Hopefully some time in the future, I will document the whole process myself and post it here for posterity’s sake.
Updates to my post from yesterday on the ASA vulnerabilities:
- Dropbox, KeePass and Chrome all have updates out.
- The guys who released BadUSB code also released a "patch" which only fixes one aspect of one vendor's USB device. They actually recommended bondo to a thumb drive to prevent physical tampering. I've heard of devices that physically lock out a usb port but don't ruin them or the case, but considering the condition of work computers I've seen us decommission I would just bondo it over myself. I'm sure my users would just love that.
- The analytics black hole for detecting internal security threats - a breif summary of a Tech Republic article driving home the same old concepts - we do a piss poor job of user security awareness and education.
- Gartner lays out its top 10 tech trends for 2015
- The US Government Is Going To Store Top Secret Documents In The Cloud
- Insider threat to critical infrastructure 'underestimated', says DHS
- US Says It Can Hack Foreign Servers Without Warrants - no analysis here - just scary but apparently legal.
- Obama Had Security Fears on JPMorgan Data Breach (Courtesy InfoSecNews Mailing List)
- An inside look at Russian cybercriminals (Courtesy InfoSecNews Mailing List)
- F-Secure's whitepaper "BLACKENERGY & QUEDAGH: The convergence of crimeware and APT attacks"
- George Kao's "A System For Email Productivity" contains a lot of idea I've used in the past, but the presentation here is well worth the read.
If you haven’t setup your two-factor authentication for third party apps in iCloud yet, now is the time. Unless you are like me, and gave Google all of those tasks already. :) Kudos to Apple for finally coming down of the high horse and admitting they can be hacked…kinda sorta. :)
As a side note, I have to say I’m coming more and more into the dark side of fanboydom since I switch to the iPhone. I didn’t switch by choice mind you, but I did switch. Almost all of the annoyance from my Android days were gone, but I really miss the bigger screens and greater flexibility. For now, I’m ok with trading the flexibility up for stability in a device more important than my laptop.
- The SANS Stormcast mentioned the Cuckoo Sandbox for malware research, so I took a few minutes and checked it out. Based on the About and FAQ pages, this looks like a VM style sandbox to document what malware is actually doing to a Windows machine. How it works - I don't know as I went tl;dr on it. If you are interested in malware forensics, this bad boy might be just what you needed.
- Scheduled Tasks: 0x80090016: Keyset does not exist. - One of my 2003 servers decided to go stupid on my scheduled tasks...yes I know I said 2003. Easy fix - just watch that you reset the task's user account info.
FYI - Anonymous announced #OpRemember, which appears to be in recon mode right now. The financial sector, government, biotech (Monsanto), and what I assume are organizations responsible for putting Fluoride in water/products.
- SANS ISC StormCast - mention of two new NMAP diary entries which I want to look into more.
The day started with today’s SANS ISC StormCast.
WSUS Reporting with Powershell & WSUS automatic E-mail reports HOWTO - I’m attempting to automate my daily processes, so getting an email from WSUS telling me who needs patches is great. Now to find the time to set it up!
I spent a couple days this week attempting to get my two System I’s to authenticate against the AD domain we are going to. I thought it would be easy, but as with most things IBM it wasn’t. My biggest hurdle was getting the AS/400’s to talk AES to the new Windows 2008 R2 domains.
Not much meat to this one, just a list of links to major products that are affected by ShellShock:
I know the title is rather boring, maybe I will think of something more exciting later. I thought it might be worthwhile to share what I read in regards to information security today, and more importantly why. We infosec professionals read so many blogs, newspapers, and articles today that I’m surprised we read anything for pleasure. Hopefully this helps someone, or at least gives me a reference back to something cool I read later on.
Well it’s looks like the new cyber czar is a noob in the eyes of the greater IT community all because of his “you don’t have to be a coder” comment. First, why would one in the IT field expect someone in management to be able to configure a firewall on their own? j/k Frankly, the cyber czar or any other management position doesn’t need a detailed IT background to succeed where the real problem exist - between the ears of everyone touching a keyboard, mouse, iPad, or smartphone.
It’s been a long while since I wrote a blog entry. Frankly, I’ve just been busy focusing on other things like spending the short summer with my family and dealing with the many changes this merger has brought on me.
It’s all too often I see a threatening email with the subject “Scanned from a Xerox Multifunction Device” which could simply be spam, but it could also carry a malicious payload. These devices come with enough vulnerabilities as it is, and everyone who deploys them should go through all the default settings. All too often, the leasing company brings them in and only pops in the bare minimum to get the device up and running on the network. I try to make my rounds and customize the settings, but how many IT shops actually do.
Hello - I’ve spun up this blog to help me better categorize the many aspects of work I do and help share my experiences without jumbling up too many topics. I may choose to consolidate this back into my main blog at some point.
Once again, my great state of Maine comes up with another brilliant big-brother law: add computer techs to the list of “mandated reporters” of suspected child abuse.