A lot has been going on since I got a concussion a couple months ago! I’ve mainly focused on work, and recovery and recently have started feeling more normal.
I will be resuming my capstone project and should finish my bachelor’s degree this summer, or winter. This really depends on how incompletes and summer registration for classes go. But, I have the ok to work on capstone until end of May. I plan to review the research and work I had done before and come up with a timeline for remaining work afterward. I should have a progress report by the end of this weekend.
This week, I’m looking forward to helping set up wifi at Open West as a volunteer and will be sure to write about the experience.
While I may or may not have any regular readers yet, because of my personal goal to blog regularly, I want to state that I will not be able to meet my posting goals for some time.
The bad news:
On February 16th, I sustained a concussion at this time am struggling with light sensitivity and concentration issues at this time.
That’s why I haven’t been able to make updates on my projects, and haven’t been sharing much of what I’ve found and learned for a few weeks.
I have a lot of ideas and projects I want to work on as well as resources I’ve found and wanted to do write ups on. But trying to catch up on school, and personal projects as the breadwinner of my family has meant that I’m stretched thin right now.
The good news:
My first priorities are to graduate this semester or next semester while getting back into my job full time. In order to do that, there will be doctor visits, and other appointments, as well as plenty breaks sitting in dark rooms.
What is really great, is that I have an excellent husband, work place and peers who have helped me step back a bit, and given great advice. It’s shown me that uprooting my life to study IT, and going out of my way to be involved in the cybersecurity community (as much as I can) was the best thing I could have done.
It’s funny how right now, some mental tasks are “easy” and others are sometimes impossible! For example, counting more than a few things, staying on task, or doing arithmetic… not so good. Yet, I can generally express myself sufficiently. There is a big difference between expressing experiences, and writing well about complex issues. But I have a feeling as I get better, I’ll want to share what I’ve found for accessibility software and the like. Maybe someday I can contribute to improving or expanding some of the vision and focus tools!
On a similar note, despite my successes, my years at UVU have been an extremely difficult period in my life. The sordid details aren’t important, but suffice to say I’ve become well acquainted with my own burnout-doppelgänger. Having a serious but recoverable injury has shown me how much I’ve learned from the bad in the last four years. I finally understand what is meant by the saying that hardship builds character. And it’s reignited my passion for my studies at a time when I was once again, setting unrealistic standards for myself. If I had given up sooner, I wouldn’t be so lucky now.
I hope if you’re burning out, or facing a monumental struggle right now, that you also hold on to hope and take care of yourself. It may or may not get better, but I promise, if you don’t give up, you will get stronger.
The information age is grand! Anyone with an internet capable device and a connection can learn whatever they want if they know where to look. However, information overload is easier than ever.
In the interest of sharing, and not losing, information about some fascinating community resources I put together this small list of pulications and archives for techies, hackers and security concious folks.
2600 : The Hacker Quarterly
I love 2600, and it was the first zine or publication I came across written by and for hackers. There are opinion pieces, stories, research and more in the quarterly. To me, 2600, is fascinating and inspiring. It’s the only magizine I can pick up at Barnes & Noble concerned with privacy, freedom and surveilance.
But I don’t think I can put it any better than the New Yorker did here when interviewing the editor, Emmanuel Goldstein :
“2600 provides an important forum for hackers to discuss the most pressing issues of the day—whether it be surveillance, Internet freedom, or the security of the nation’s nuclear weapons—while sharing new code in languages like Python and C. For example, the most recent issue of the magazine addresses how the hacking community can approach Snowden’s disclosures. After lampooning one of the leaked N.S.A. PowerPoint slides … and discussing how U.S. government is eroding civil rights, the piece points out the contradictions that everyone in the hacking community currently faces. “Hackers are the ones who reveal the inconvenient truths, point out security holes, and offer solutions,” it concludes. “And this is why hackers are the enemy in a world where surveillance and the status quo are the keys to power.”
Scott told me that 2600’s advocacy for Snowden was nothing new. At the time of the leaks, the then Congressman Ed Markey, of Massachusetts (he is now a senator), once called the publication “a manual for computer crime.” But the magazine is less a how-to guide than a collection of stories gathered by hackers on their adventures on and offline, reflecting the bulletin-board systems (B.B.S.s) that inspired Goldstein to start the magazine in the early eighties. “ [From https://www.newyorker.com/tech/annals-of-technology/print-magazine-hackers%5D
If you can’t find it in your bookstore you can still subscribe to paper or digital issues here: https://www.2600.com/
Proof of Concept or Get the Fuck Out started as a community zine, and is now also availibe in two bound volumes, printed by the beloved No Starch Press!
In their own words:
“PoC||GTFO (Proof of Concept or Get The Fuck Out) follows in the tradition of Phrack and Uninformed by publishing on the subjects of offensive security research, reverse engineering, and file format internals. Until now, the journal has only been available online or printed and distributed for free at hacker conferences worldwide.
Consistent with the journal’s quirky, biblical style, this book comes with all the trimmings: a leatherette cover, ribbon bookmark, bible paper, and gilt-edged pages. The book features more than 80 technical essays from numerous famous hackers, authors of classics like “Reliable Code Execution on a Tamagotchi,” “ELFs are Dorky, Elves are Cool,” “Burning a Phone,” “Forget Not the Humble Timing Attack,” and “A Sermon on Hacker Privilege.” Twenty-four full-color pages by Ange Albertini illustrate many of the clever tricks described in the text.” – [https://nostarch.com/gtfo]
As you might expect, it’s full of POC and research, in addition to poetry and social commentary. If you’re looking for inspiration, or want to know how to hack your tamagotchi, this is the place to look!
From Times Passed
NTK [http://www.ntk.net/] ran from 1997 to 2007 and collected interesting tidbits and news in the community.
Check out the photos below to get a feel for their content.
Phrack appears to no longer be active, but the website is up and full of fascinating reads. To allow it to speak for itself, here is the introduction to Phrak from 1985 :
This article on the fall of hacker groups is one of my favorites right now :
Bsides SLC was 2/21 & 2/22 this year, and luckily although I couldn’t participate as much as I wanted to, I was able to make it to the last few hours yesterday!
If you aren’t familiar, Bsides is a DIY, grassroots security con which is really well described here http://www.securitybsides.com/w/page/12194138/BSides . Bsides has a reputation for being friendly to those new to security, and I’d highly recommend it to anyone.
It was great to see friends that I never manage to meet up with outside of community events. And there are so many little things I loved about the conference. For example:
Sean Jackson is always on top of getting actual women’s shirts for cons. This is great because, unlike the men’s straight cut that is almost universally considered unisex, they are comfy and fit!
My next step is to reach out to groups who may be interested or could benefit from having their own social media server.
While I may be able to target the project to my contacts in IT or cybersecurity, or from art school, my advisor had excellent suggestions for reaching out to established groups who could benefit such as campus clubs, non-profits organizations, a church group or even a city rec center. In other words, there is surely a group who would like to stay connected without having to use big social media platforms.
Currently, I’m compiling a list of possible contacts, and drafting fitting proposals per group. Hopefully, I can find a group that is interested and comfortable with the proposal. I’m very excited to get underway!
Cost allowing, I plan to setup a server for personal use, such as amongst friends, in order to get started on the technical and logistical aspects. This should help me when I make contact with an interested group.
Until next time, best of luck to you in all you do! : )
Despite the fact that this is my last semester before I graduate, the most exciting part for me is that I can finally dedicate a substantial amount of time to hands-on projects. The main reason for this is, I’m working on my capstone project and have another class requiring a hands-on project. In both cases, the projects are very open and meant to encompass about 3 months of work. The only restriction of the second project is that it must be cloud based and for a nonprofit group.
Capstone: FitBit Telemetry, Privacy, and Security Analysis
For my B.S. IT degree, my capstone project is centered on security and privacy of wearable technology like the FitBit. As digital and internet technology expands into new areas of life, an unfathomable amount of data is generated by our comings and goings. Wearable tech is subject to the same concerns as other Internet of Things with the additional issues brought about by collecting biometrics, and health information. So, after a review of current literature, I will start by analyzing telemetry data sent by the FitBit Charge2, and possibly other models. While others have done research in this area I think it will be important to collect and analyze data myself.
One of my concerns with wearables such as fitness trackers is that in order to use them consumers must place full trust in the company selling them the hardware. Heartbeat data is collected, sent to servers, and analyzed in order to provide the user with useful reports. For the FitBit this means turning on location services and Bluetooth in order to authenticate and sync the device. While there is the option to encrypt data sent to the servers, I’d rather connect the tracker to a laptop, or other computing device to handle processing. So my second goal is to develop an application to handle the data locally, without needing to use other’s servers.
What excites me about this project is the chance to learn more about how health data is collected, stored, managed, and presented as information. In addition to that, I’d like to be able to develop programming skills to create a tool that puts control back in the hardware owner’s hands. This project will be the most difficult and research intensive of the two, but that’s why I’m so excited to begin!
Cloud Architecture: Mastodon
While my second project hasn’t been approved yet, the thing I’m really excited to use cloud services for is to set up and maintain a Mastodon instance. Eugene Rochko created Mastodon, which is built on standard protocols to allow any community to set up their own server. These independent servers are interoperable allowing a federation of independent social media servers to arise. Mastodon is free, contains anti-abuse tools, is naturally community moderated, and has no advertisements. This means that unlike Facebook, Twitter, YouTube and Patreon, content creators are not restricted or influenced by corporate interests outside of their control.
When I heard about Mastodon, I signed up for an account on Mastodon.Technology and since then, I’ve toyed with the idea of setting up my own instance. However, time and financial constraints meant that I had to keep putting the experiment off for ‘one day’. Particularly in light of deplatforming campaigns, which often become out of control due to the giant games of internet-telephone, which occur with increasing regularity, a community-owned decentralized social media platform is extremely appealing. I believe the internet is at it’s best when people can interact freely, without censorship, without having their intellectual property rights being undermined, and in communities which are not isolated, but can set their own standards.
The strength of hosting the instance on a cloud service is that it will be possible to pay for resources in proportion to their use. Therefore if the server has low usage, or suddenly high usage, service will continue and pricing should stay reasonable. I plan to promote it amongst security and privacy conscious friends, as well as my artist friends who may find themselves increasingly restricted by social media scrutiny and standards.
Hosting the Mastodon instance will provide another real world avenue to understand resource usage and allocation over time, as well as cloud server vulnerabilities. If I can get the server up and active quickly, then my focus will be on maximizing privacy and control for users as well as safety.
As I progress through both of these projects my plan is to document my progress here. Hopefully, it can help someone else, as well as serve as a useful personal record.
Collegiate cyberdefense competitions evaluate teams through several different metrics. While technical skills and concepts like incident response take center stage, soft skills and business knowledge are also tested. Business injects in particular, tend to test general knowledge, understanding of business policy, ability to communicate and influence non-technical superiors without technobabble and so on.
In keeping with the business scenario the team operates within, business injects often require creating policies, plans for implementing them, and giving professional recommendations to your CEO who… doesn’t speak computer geek.
CEO requests a report covering what GDPR is, whether the company can become compliant within 12 months, whether they can afford to do it, whether they can afford not to do it, and a justified recommendation about how to move forward.
Log and Report all known breaches and countermeasures taken against them.
Some injects are purely technical, or pure business, but others require competency in both areas. Such as:
Report on the effectiveness of the implemented SEIM using specific examples
Create an incidence response policy and plan for implementing it
Because the technical injects cover a range of operating systems, and types of tasks, this post will focus on aspects of technical writing, and business documents.
There are some critical things that you need to remember when writing these reports:
More likely than not, you will not have enough time but you must still be comprehensive. If you’ve been asked for A, B and C, and have 30 minutes left before submission you need to make some tough calls about where to cut your losses. If you have no understanding of how to address part C then pour your heart and soul into the rest of B. But chances are, you’re best off at least briefly addressing all parts of the request.
2. Save a substantial chunk of your allotted time for delivering injects.
Arbitrarily, you might was to save 30% for nonsense, interruptions, stopping to put out a fire, or delivery mishaps. You can rely on the USB dries remaining pure and uncorrupted, might lose email at any time, and who knows if the printer is still functional.
3. Your team captain is your best asset for data collection, task management and time management.
My team captain was invaluable, because he was always able to help me find out who was dealing with the systems I needed information on. He also helped me track time, which was super important at the National competition level.
4. This is a role you need to study for!
If you have enough work experience in a corporate setting then you may have a feel for what privacy policies, acceptable use policies and the like contain. But if you have to think about it too long you’ll get bogged down and lose time. Ideally, you shouldn’t have to google anything but new laws or specific products. Therefore, make sure you familiarize yourself with the basics of GDPR, HIPAA, memos and policy documents.
If you can outline a 10 page thesis paper reasonably well, or outline a 3-10 minute speech, then you should have little trouble organizing the reports logically.
There are a lot of resources online about technical writing. I’d recommend starting with SANS templates. Print them out, mark them up, and make sue that you understand the content and structure. I will be following this post up with a part two focused on resources for technical and policy writing, and other resources for collegiate cyberdefense competitions.
First things first, what is sqlmap? It’s a open source penetration testing tool for automating the process of finding SQL injection flaws and taking over databases. I won’t get into the full capabilities here, but you can learn more at [http://sqlmap.org/]*
The following is really just a combination of my notes, and an extra credit assignment given by one of my professors in the spring. This was not a tool we covered in class, and the question was “Can You get a shell on a webserver using sqlmap?”
The intial set up here is a Kali Linux virtual machine and Windows 7 virtual machine hosted on my own personal workstation. At the time, I had the vulnerable web application BadStore . The Website was accesible to the Kali VM via an entry in the /etc/hosts file. I typically was using Burpsuite as my proxy from the Kali Linux VM, however this was my exploration of sqlmap used alone.
Premise: Using Sqlmap from my Kali VM to attack a web application hosted on my Windows 7 VM, it is possible to get a shell on the web server.
Firstly, you should use sqlmap against a url hosted on the target server to see what you can learn about the systems. It can also show us what sort of sql injection attacks a parameter, like GET customerid is vulnerable to. In the following a submission URL was fed to sqlmap.
Finally, we can also see the server OS, the version of Apache and type of database.
So we know it’s a site hosted with Apache 2.2.22 with PHP 7.1.7 and MySQL above 5.0.12. This information has been automatically saved in a file for us as well.
Looking through the advanced help there are a few parameters that seem interesting.
I didn’t want to mess with the registry to prove access since I wanted to more or less maintain the VM for later practice. So I went full script kiddie and used the operators : File Write and File Dest to upload the backdoor WhiteWinterWolf [https://www.whitewinterwolf.com/posts/2017/12/02/wwwolfs-php-webshell-users-guide/] to upload to the webserver. For the purpose of making it easier for me to upload files, and browse the system it was quite helpful. The first two images below, is a screencap from the Windows 7 vm I took to verify the file was uploaded.
I was able to navigate to the web shell like so:
Image 4 above, shows where my asignment write up left off more or less. It did take me a fair bit of trial and error since it was the first time I’d used sqlmap before, but it really does a lot of the work for you. If you’re like me, then hosting and breaking your own bulnerable web apps is the easiest way to learn about and really understand how these systems work together. But you haven’t really done anything if you use other people’s tools, so don’t neglect that side of study either!
All that’s left from here on out are my notes I kept for myself on the assignment and a footnote about proper use of sqlmap. Feel free to peace out at this point. I’d recommend visiting sqlmap.com to look at the demo’s and information they have availible to learn more.
–os-shell (from the file access help in sqlmap)
I thought from the description maybe it meant a CMD shell on Windows. But it’s actually giving a whole bunch of options to find writable web root / htdocs directories.
It wasn’t that helpful because the process user (which is what I was at the time) doesn’t have the privilege to write.
—priv–esc —os-shell : Adding PrivEsc didn’t noticeably change OS Shell output and running it as the only parameter other then U only gave stored session information.
If you open Index with Nano there is nothing there…
Not really sure if it’s reading anything or what good it is to me if I can’t personally read it. When I searched for a fake file it saved the information to a text file and didn’t make a document in the /www.sql.net/files directory.
*On sqlmap: At the time I last accessed sqlmap’s webpage https was not configured. It is published under GNU Public License. Please note their disclaimer “Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.”
Virtual machines, emulations of computers, are an amazing learning tool. If you have a single computer and want to learn about computer networking, web application pen-testing, or try a new Linux distro, virtual machines are your very best friend. By setting up one or more servers as virtual machines you can experiment with quite a bit!
All you need is a hypervisor, a program to run the virtual machines, and installation media for your virtual machine.
The two main options you’ll hear a lot about are the lovely open source Oracle Box [https://www.virtualbox.org/] and VMWare. You can get VMWare Workstation Player for free (Windows), or get a trial of VMWare Fusion (Mac) or VMWare Workstation Pro (Windows). But Orcale Box is free, and can run on any OS.
Let’s say you install Oracle box on your personal computer. Now you need installation media to install the operating system. This is pretty similar to installing an operating system on a ‘real’ computer. There are a lot of options as far as that goes. For example:
Kali Linux : Built with the security pro/nerd in mind, Kali comes with a ton of tools like Burpsuite already installed. https://www.kali.org/downloads/
Once you have your system image (your copy of the OS) you can install it on a virtual machine quite easily. Below I’ve included a guide for Oracle Box.
1. Open up virtual box and, naturally, click “New” to begin setting up a virtual machine.
Give it a snazzy name, and make sure to set ‘type’ and ‘version’ appropriately.
2. Determine how much memory to allocate to the VM. This will depend on your hardware specs, OS requirements, and how many virtual machines you want to be able to run on your hardware in the first place.
Guided Mode isn’t that different than ‘Expert Mode’ by the way. It gives more detail about the options, and makes suggestions for the values, but provides the same options in reality.
3) If you’ve selected ‘create virtual hard disk now’ , and if this is your first vm you’ll need to, then you’ll be confronted with the following:
It’s worth noting that you may find you have difficulty exporting the VM from Oracle Box either way. Your mileage will vary but there always seems to be some sort of hiccup in my experience. If you think you might want to try VMWare later, you can create it as a VMDK which is compatible with both programs.
The allocation on your local disk is pretty self-explanatory since Oracle gave such a thorough description. I prefer dynamic allocation to save space on my hard drive until I need it, but it’s up to you. Just make sure wherever you create the file, you don’t tamper with it later.
Simply give that file a recognizable name and choose its size.
From here, it’s more or less dependent on which OS you are installing and what virtualized hardware you’ll want.
For example, you can alter the virtual machine settings to add an optical drive (think CD player), which you can load a .iso file into. ISO is often used for operating system images or other archives.
I’m not sure how helpful this is or not, but if you have questions about basic set up let me know in comments. At some point, I’ll get started on an article to follow this one to explain various settings or options in depth, that may be confusing the first time you see them. My real agenda is to provide instructions on hosting a website from your virtual machine, in order to introduce tools like Burpsuite or OWASP’s testing tools.
**I’ve been reading The Manga Guide to Cryptography and POC||GTFO to learn more about crypto. I’m just trying out digitizing some of my notes here, though I’m thinking a wiki like docuwiki would be better. OneNote isn’t really floating my boat lately. Anyway, this shouldn’t be taken as original writing, or a finished article, and I will cite direct quotes when necessary**
Take Away: There are far more permutations of n than there are combinations
Frequency Analysis based on the features of the ciphertext, or known statistics about it, guesses can be made about the plaintext or encryption key. It’s highly effective against simple substitution ciphers.
Example: The most common letter in the english alphabet is E and the most common word is THE so repeats or common characters in the ciphertext can hint at the key, or plaintext.