A Semester for Neglected Projects

Despite the fact that this is my last semester before I graduate, the most exciting part for me is that I can finally dedicate a substantial amount of time to hands-on projects. The main reason for this is, I’m working on my capstone project and have another class requiring a hands-on project. In both cases, the projects are very open and meant to encompass about 3 months of work. The only restriction of the second project is that it must be cloud based and for a nonprofit group.

Capstone: FitBit Telemetry, Privacy, and Security Analysis

For my B.S. IT degree, my capstone project is centered on security and privacy of wearable technology like the FitBit. As digital and internet technology expands into new areas of life, an unfathomable amount of data is generated by our comings and goings. Wearable tech is subject to the same concerns as other Internet of Things with the additional issues brought about by collecting biometrics, and health information. So, after a review of current literature, I will start by analyzing telemetry data sent by the FitBit Charge2, and possibly other models. While others have done research in this area I think it will be important to collect and analyze data myself.

One of my concerns with wearables such as fitness trackers is that in order to use them consumers must place full trust in the company selling them the hardware. Heartbeat data is collected, sent to servers, and analyzed in order to provide the user with useful reports. For the FitBit this means turning on location services and Bluetooth in order to authenticate and sync the device. While there is the option to encrypt data sent to the servers, I’d rather connect the tracker to a laptop, or other computing device to handle processing. So my second goal is to develop an application to handle the data locally, without needing to use other’s servers.

What excites me about this project is the chance to learn more about how health data is collected, stored, managed, and presented as information. In addition to that, I’d like to be able to develop programming skills to create a tool that puts control back in the hardware owner’s hands. This project will be the most difficult and research intensive of the two, but that’s why I’m so excited to begin!

Cloud Architecture: Mastodon

A mastodon leaps into the air holding a paper airplane in its trunk. He is surrounded by clouds and paper airplanes. The mastadon is the mascot of the decentralized social media platform Mastodon. This image links to Join Mastodon dot org

While my second project hasn’t been approved yet, the thing I’m really excited to use cloud services for is to set up and maintain a Mastodon instance. Eugene Rochko created Mastodon, which is built on standard protocols to allow any community to set up their own server. These independent servers are interoperable allowing a federation of independent social media servers to arise. Mastodon is free, contains anti-abuse tools, is naturally community moderated, and has no advertisements. This means that unlike Facebook, Twitter, YouTube and Patreon, content creators are not restricted or influenced by corporate interests outside of their control.

When I heard about Mastodon, I signed up for an account on Mastodon.Technology and since then, I’ve toyed with the idea of setting up my own instance. However, time and financial constraints meant that I had to keep putting the experiment off for ‘one day’. Particularly in light of deplatforming campaigns, which often become out of control due to the giant games of internet-telephone, which occur with increasing regularity, a community-owned decentralized social media platform is extremely appealing. I believe the internet is at it’s best when people can interact freely, without censorship, without having their intellectual property rights being undermined, and in communities which are not isolated, but can set their own standards.

The strength of hosting the instance on a cloud service is that it will be possible to pay for resources in proportion to their use. Therefore if the server has low usage, or suddenly high usage, service will continue and pricing should stay reasonable. I plan to promote it amongst security and privacy conscious friends, as well as my artist friends who may find themselves increasingly restricted by social media scrutiny and standards.

Hosting the Mastodon instance will provide another real world avenue to understand resource usage and allocation over time, as well as cloud server vulnerabilities. If I can get the server up and active quickly, then my focus will be on maximizing privacy and control for users as well as safety.

Future Updates

As I progress through both of these projects my plan is to document my progress here. Hopefully, it can help someone else, as well as serve as a useful personal record.

Collegiate Cyberdefense Competition Injects Part 1 : Introduction to Business Injects

Collegiate cyberdefense competitions evaluate teams through several different metrics. While technical skills and concepts like incident response take center stage, soft skills and business knowledge are also tested. Business injects in particular, tend to test general knowledge, understanding of business policy, ability to communicate and influence non-technical superiors without technobabble and so on.

In keeping with the business scenario the team operates within, business injects often require creating policies, plans for implementing them, and giving professional recommendations to your CEO who… doesn’t speak computer geek.

For Example:

  • CEO requests a report covering what GDPR is, whether the company can become compliant within 12 months, whether they can afford to do it, whether they can afford not to do it, and a justified recommendation about how to move forward.
  • Log and Report all known breaches and countermeasures taken against them.

Some injects are purely technical, or pure business, but others require competency in both areas. Such as:

  • Report on the effectiveness of the implemented SEIM using specific examples
  • Create an incidence response policy and plan for implementing it

Because the technical injects cover a range of operating systems, and types of tasks, this post will focus on aspects of technical writing, and business documents.

There are some critical things that you need to remember when writing these reports:

  1. More likely than not, you will not have enough time but you must still be comprehensive. If you’ve been asked for A, B and C, and have 30 minutes left before submission you need to make some tough calls about where to cut your losses. If you have no understanding of how to address part C then pour your heart and soul into the rest of B. But chances are, you’re best off at least briefly addressing all parts of the request.

2. Save a substantial chunk of your allotted time for delivering injects.

Arbitrarily, you might was to save 30% for nonsense, interruptions, stopping to put out a fire, or delivery mishaps. You can rely on the USB dries remaining pure and uncorrupted, might lose email at any time, and who knows if the printer is still functional.

3. Your team captain is your best asset for data collection, task management and time management.

My team captain was invaluable, because he was always able to help me find out who was dealing with the systems I needed information on. He also helped me track time, which was super important at the National competition level.

4. This is a role you need to study for!

If you have enough work experience in a corporate setting then you may have a feel for what privacy policies, acceptable use policies and the like contain. But if you have to think about it too long you’ll get bogged down and lose time. Ideally, you shouldn’t have to google anything but new laws or specific products. Therefore, make sure you familiarize yourself with the basics of GDPR, HIPAA, memos and policy documents.

If you can outline a 10 page thesis paper reasonably well, or outline a 3-10 minute speech, then you should have little trouble organizing the reports logically.

There are a lot of resources online about technical writing. I’d recommend starting with SANS templates. Print them out, mark them up, and make sue that you understand the content and structure. I will be following this post up with a part two focused on resources for technical and policy writing, and other resources for collegiate cyberdefense competitions.

Toying with SQLmap

First things first, what is sqlmap? It’s a open source penetration testing tool for automating the process of finding SQL injection flaws and taking over databases. I won’t get into the full capabilities here, but you can learn more at [http://sqlmap.org/]*

The following is really just a combination of my notes, and an extra credit assignment given by one of my professors in the spring. This was not a tool we covered in class, and the question was “Can You get a shell on a webserver using sqlmap?”

The intial set up here is a Kali Linux virtual machine and Windows 7 virtual machine hosted on my own personal workstation. At the time, I had the vulnerable web application BadStore []. The Website was accesible to the Kali VM via an entry in the /etc/hosts file. I typically was using Burpsuite as my proxy from the Kali Linux VM, however this was my exploration of sqlmap used alone.

us@vamanos:~$

Premise: Using Sqlmap from my Kali VM to attack a web application hosted on my Windows 7 VM, it is possible to get a shell on the web server.

sqlmapbegin

Firstly, you should use sqlmap against a url hosted on the target server to see what you can learn about the systems. It can also show us what sort of sql injection attacks a parameter, like GET customerid is vulnerable to. In the following a submission URL was fed to sqlmap.

The image is of the command line on Kali Linux. The sqlmap output indicates that 'customeridget' is 'Generic UNION query (NULL) - 1 to 20 columns' is injectable. SQLMAP prompts the user to see if the others should be tested. Yes is selected. More information is displayed regarding the GET parameter 'customeridget' and the queries. SQLMAP indicates the back end database management system is MySQL. The web sever operating system is Windows 7. The web applicaiton technologies include Apache 2.2.22, and PHP 7.1.7. The version of MySQL is greater than or equal to 5.0.12. The data is fetched and logged to text files under /root/.sqlmap/output/www.sql.net

Finally, we can also see the server OS, the version of Apache and type of database.

So we know it’s a site hosted with Apache 2.2.22 with PHP 7.1.7 and MySQL above 5.0.12. This information has been automatically saved in a file for us as well.

Looking through the advanced help there are a few parameters that seem interesting.

 

sqlmap_advanced_help
It’s critical to get comfortable using a tools native help functions whether that’s ‘man pages’ in Linux, Get-Help in powershell or any command line tool/interface period.

 

I didn’t want to mess with the registry to prove access since I wanted to more or less maintain the VM for later practice. So I went full script kiddie and used the operators : File Write and File Dest to upload  the backdoor WhiteWinterWolf [https://www.whitewinterwolf.com/posts/2017/12/02/wwwolfs-php-webshell-users-guide/] to upload to the webserver. For the purpose of making it easier for me to upload files, and browse the system it was quite helpful. The first two images below, is a screencap from the Windows 7 vm I took to verify the file was uploaded.

win7_peeking_at_directory

win7_textfile_php

 

I was able to navigate to the web shell like so:

z_webshell_in_use
1: You can see how easy it is to upload a file from here and place it into the web server’s directory. It’s no harder to find the ISS webroot inetpub (This was serving a copy of the same website at the time, but I was more personally interested in Apache.)
z_webshell_in_use2
2: Executing only minimal parameters in the shell gave me a list of the C drive contents, and other information.
z_webshell_in_use3
3: You can use sqlmap to identify the web root, though I skipped that step to be honest. I knew the webroot was here for the ‘sql.com’ version of Bad Store I was hosting.
z_webshell_in_use4
4: ‘del main.php’ executed in the directory deleted the file, breaking the site. When I ran it a second time I got the ‘Could Not Find’ error you see there.

Image 4 above, shows where my asignment write up left off more or less. It did take me a fair bit of trial and error since it was the first time I’d used sqlmap before, but it really does a lot of the work for you. If you’re like me, then hosting and breaking your own bulnerable web apps is the easiest way to learn about and really understand how these systems work together. But you haven’t really done anything if you use other people’s tools, so don’t neglect that side of study either!

All that’s left from here on out are my notes I kept for myself on the assignment and a footnote about proper use of sqlmap. Feel free to peace out at this point. I’d recommend visiting sqlmap.com to look at the demo’s and information they have availible to learn more.

me@notes:~$

–os-shell (from the file access help in sqlmap)

I thought from the description maybe it meant a CMD shell on Windows. But it’s actually giving a whole bunch of options to find writable web root / htdocs directories.

sqlmap_brute_force_common_dir

sqlmap_brute_force_common_dir_detail

It wasn’t that helpful because the process user (which is what I was at the time) doesn’t have the privilege to write.

privescos-shell : Adding PrivEsc didn’t noticeably change OS Shell output and running it as the only parameter other then U only gave stored session information.

–read-file=Index

sqlmap_readfileindex

If you open Index with Nano there is nothing there…

sqlmap_fileaccess2.png

Not really sure if it’s reading anything or what good it is to me if I can’t personally read it. When I searched for a fake file it saved the information to a text file and didn’t make a document in the /www.sql.net/files directory.

 

*On sqlmap: At the time I last accessed sqlmap’s webpage https was not configured.  It is published under GNU Public License. Please note their disclaimer “Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.”

Spinning Up Your First Virtual Machine

Virtual machines, emulations of computers, are an amazing learning tool. If you have a single computer and want to learn about computer networking, web application pen-testing, or try a new Linux distro, virtual machines are your very best friend. By setting up one or more servers as virtual machines you can experiment with quite a bit!

All you need is a hypervisor, a program to run the virtual machines, and installation media for your virtual machine.

The two main options you’ll hear a lot about are the lovely open source Oracle Box [https://www.virtualbox.org/] and VMWare. You can get VMWare Workstation Player for free (Windows), or get a trial of VMWare Fusion (Mac) or VMWare Workstation Pro (Windows). But Orcale Box is free, and can run on any OS.

Let’s say you install Oracle box on your personal computer. Now you need installation media to install the operating system. This is pretty similar to installing an operating system on a ‘real’ computer. There are a lot of options as far as that goes. For example:

  • Kali Linux : Built with the security pro/nerd in mind, Kali comes with a ton of tools like Burpsuite already installed.   https://www.kali.org/downloads/
  • FreeBSD : University of California Berkeley Unix https://www.freebsd.org/where.html
  • Free BSD also provides an open source firewall called pfsense
  • Ubuntu: A noob friendly Linux distro https://www.ubuntu.com/download

Of course, you’re welcome to pay for Windows too…

Once you have your system image (your copy of the OS) you can install it on a virtual machine quite easily. Below I’ve included a guide for Oracle Box.

1. Open up virtual box and, naturally, click “New” to begin setting up a virtual machine. After clicking 'New' button, you can enter the new virtual machine name, type of operating system and OS version. Memory size and whether the hard disk should be created now, later, or whether to use an existing virtual hard disk.

Give it a snazzy name, and make sure to set ‘type’ and ‘version’ appropriately.

Screen Shot 2018-10-31 at 3.05.58 AM

2. Determine how much memory to allocate to the VM. This will depend on your hardware specs, OS requirements, and how many virtual machines you want to be able to run on your hardware in the first place.

Screen Shot 2018-10-31 at 3.11.33 AM

Guided Mode isn’t that different than ‘Expert Mode’ by the way. It gives more detail about the options, and makes suggestions for the values, but provides the same options in reality. 

Screen Shot 2018-10-31 at 3.14.15 AM.png

3) If you’ve selected ‘create virtual hard disk now’ , and if this is your first vm you’ll need to, then you’ll be confronted with the following:

Screen Shot 2018-10-31 at 3.16.21 AM

It’s worth noting that you may find you have difficulty exporting the VM from Oracle Box either way. Your mileage will vary but there always seems to be some sort of hiccup in my experience. If you think you might want to try VMWare later, you can create it as a VMDK which is compatible with both programs.

The allocation on your local disk is pretty self-explanatory since Oracle gave such a thorough description. I prefer dynamic allocation to save space on my hard drive until I need it, but it’s up to you. Just make sure wherever you create the file, you don’t tamper with it later.

Screen Shot 2018-10-31 at 3.20.18 AM.png

Simply give that file a recognizable name and choose its size.

Screen Shot 2018-10-31 at 3.23.32 AM

From here, it’s more or less dependent on which OS you are installing and what virtualized hardware you’ll want.

For example, you can alter the virtual machine settings to add an optical drive (think CD player), which you can load a .iso file into. ISO is often used for operating system images or other archives.

I’m not sure how helpful this is or not, but if you have questions about basic set up let me know in comments. At some point, I’ll get started on an article to follow this one to explain various settings or options in depth, that may be confusing the first time you see them. My real agenda is to provide instructions on hosting a website from your virtual machine, in order to introduce tools like Burpsuite or OWASP’s testing tools.

Advice for first year IT students

          Maybe you always knew you wanted to pursue a career in computing, or maybe computers are a new love for you. But when I started my IT degree I had already put years into a fine art degree. I had no idea how computers, or networks, worked but my curiosity had been piqued by increasing advances in technology and its impact on our daily lives. When I realized how intimately connected my life was with various technologies that were each essentially a black box to me, I had to know more about them!

          Even if you have some experience, you may not be sure where to start, how to prepare for higher level courses or what is expected of you outside of school. Like with foreign language the best way to learn and understand something thoroughly is through immersion and hands on practice. So your first priority should be to get a lot of exposure and have as much fun as possible getting it!

Starting from Square One

This is simply a list of suggestions I would give to myself a few years ago. These are mostly things I’ve been advised to do and have already done myself, as well as a few things I’m working towards myself (like contributing to open source projects and teaching others).

  • Build good foundational knowledge. To understand networking you need to understand at least a little about computers, operatings systems, browsers and networking devices. You may go into shock at the sheer amount of acronyms but trust me, they will seem second nature after a while.
  • Comptia A+ and Network+ exam objectives or test prep books can give you a good idea of what you should know. Comptia provides vendor neutral tests that certify a certain level of IT knowledge and skill. A+ essentially certifies that you have basic technical support and troubleshooting skills. Network+ is a step above and focuses more on troubleshooting and design of networks than A+ does. Even if you know most of this already it’s worth looking into in order to address any gaps in your knowledge.
  • Balance book-learning with hands-on learning. Don’t just plow through a textbook or training manual without trying things out yourself. You do need to understand the general ideas before you can build your own lab but don’t over do theory at the expense of application. Which brings us to…
  • Make yourself a home lab. This is one of the best things you could do for yourself as an IT student. The easiest way to experiment with different operating systems and networking configurations is to set up virtual machines with software like Virtualbox or VMware Player. Virtualization gives you so much freedom to experiment without additional cost. Your biggest limits are how much RAM, storage space, and imagination. Everything makes more sense and sticks better when you go through the process of doing it yourself.
  • Make one of your VMs Kali Linux. Kali is chock-full of hack tools and if you’re anything like me it can make it way more fun and easy to learn how things work. For example, reading about how websites work often makes me want to pluck out my eyes. But fire up Burpsuite to learn how to map and exploit a website and suddenly it’s 100% more interesting.
  • If you have the funds and time build your own desktop. It’s fun, it’s custom and it’s educational.
  • Find technology conferences in your area and go to them. It’s a great chance to see what professionals are talking about and learn from them. Most security conferences have various “villages” focused on different skills like lockpicking, badge building, hardware hacking, social engineering or other areas of interest. You can hang-out and learn something new in a laid back environment. There will certainly be presentations and maybe some workshops, competitions or Capture-The-Flag contests (basically jeopardy style computer nerd puzzles).
  • If there are no conferences in your area, or within driving distance there Your school may  have a computer engineering, information technology, or cybersecurity club you could attend and learn from. There may be Python, Linux, security or otherwise techie meetups you can participate in. Look for your local DefCon group as well [something like DC 123 ].
  • Consider checking out infosec twitter, or finding subreddits in your area of technological interest.
  • Don’t psych yourself out. Often, when I invite someone to check out the security club at school they tell me they are worried they don’t know enough. Everyone feels that way at some point, but the whole point of the club is to learn together! What you’re doing to progress, and whether you have the drive to do so, matters more than what you know at this exact moment. If you put in serious effort, and don’t act entitled to other people’s time, you’ll find there are plenty of people who want to share what they know or are willing to give some general guidance.
  • Come up with projects that are fun for you! Build a website, set up a VPN on your raspberry pi. Consider donating your services to a non-profit to contribute to your community and gain experience. 
  • Find an open-source project you love and want to contribute to and use it to learn to code. It might sound crazy but it can be, and has been done.
  • Learn something teach something.  Whether that means a lightning talk, tutoring, blogging, or starting a club!

          What this whole list really comes down to is relax, explore, experiment, and get involved in the community. If you can have fun and work hard at the same time there is really no limit to what you can accomplish.

Why should I try College Cyber Defense Competitions?

If you are an information technology or cybersecurity student with the opportunity to participate in a collegiate cyber defense competition I highly recommend you take advantage of it. If you don’t have the opportunity to join an existing team I suggest you make one!

Why? Because when you are tasked with defending a network you’ve never seen before, with one hand tied behind your back, while your CIO and CEO demand extensive reports and policies be written while you respond to intrusions … a lot of things start to click. Things that you’ve learned in class, or personal experimentation, get tied together within a greater context. You’ll learn from your teammates and be forced to learn new tools or concepts on the fly. And, if you’ve never been given administrative privilege in a network, not of your own design this is an extremely useful experience.

It’s a really, really bad day at work simulator.

It will test your nerves, communication skills, technical skills, team cohesion, and organizational skills.

You might stress-break-out but you’ll get a hell of a rush when you take back machines.

At some point, you’re going to think the hackers have taken down a service or system and, if you’ve kept good enough change logs, within five minutes you’ll discover that you, or a team member, hurt yourself by overhardening. If you don’t have good enough change logs or your team isn’t gracious and humble enough to absorb mistakes you’re gonna have a bad time. This fear is affectionately and resentfully referred to as The Ghost of Red Team. And it’s a perfect example of how psychological this event is. Unlike an athletic sport, you can’t compare your team’s performance to others, and you may not be sure about your adversaries’ performance either.

Similarly, if your team doesn’t have enough respect for business injects, such as the aforementioned policy writing assignments and reports, you will lose. It’s not the cool job and nobody wants to do it but you will lose if someone doesn’t do it and do it well. Just like you need all your services up as long as possible, you need every inject turned in and done as well as possible.

These competitions are incredible learning experiences and potentially good networking opportunities. In light of that, I’d like to be able to help students who are interested in cyber defense competitions get an idea of what they’re in for and how to prepare. I can’t and won’t get into specific detail about particular competitions. But, I can and will write what I would have liked to know about preparing for competitions in general. Hopefully, it’s beneficial to you.