Monday, December 28, 2015

On The Topic of Deploying Honeypots

Hey everyone - I hope you are having a good holiday.  A little while ago, I came across a article about the operational security (OPSEC) of deploying honeypots for industrial control systems.  The article is here, and I thought it brought up an interesting point about deploying defenses in a network.

Monday, December 21, 2015

Be Merry This Holiday: Be Careful Where You Click

Hey everyone - With the holidays right around the corner, you might be scrambling for that perfect holiday gift.  You might be buying that gift online.  Even though we have seen breaches at large stores like Target, Home Depot, and Neiman Marcus, information compromise can happen when shopping from your computer at home.

Monday, December 14, 2015

On The Topic of Being Too 'Careful'

Hey everyone - We have seen a number of data exfiltration methods that hide data in plain sight.  Things like Twittor, IRC, Facebook, domain fronting, et cetera. Using services and protocols for purposes other than they were intended is nothing new (that last link was published in 2010).  As a network defender, your first reaction may be to block the protocol or service.  However, as more otherwise legitimate services and protocols are being used in this way, how do you draw the line?  If you are worried about Amazon Web Services (AWS) as a command and control (C2) channel, do you block all of AWS?  That could be problematic for your organization.  So where do you draw the line?

Monday, December 7, 2015

On Mozilla's Automated Add-On Scanning For Firefox

Hey everyone - This might be obvious to some of you, but browsers are a large attack surface in modern computing.  We do all kinds of things in our web browsers: banking, shopping, pay bills, read news, and watch videos.  Some of that should remain private, so it is important to ensure that we are doing as little as possible as users to compromise that privacy.  This includes some of the easy things: using HTTPS wherever possible (and making sure the certificate is signed by an appropriate authority) and being careful of links we click on and sites we visit.  It is also important to be careful of software (extensions) that enhances the browser for the sake of convenience or to do something that the browser's developers did not envision.  These extensions can add some really useful functionality to the browser,  like ad-blocking, or debugging if you are developing web sites.  However, even inside of the walled garden of the browser's ecosystem, malicious software can slip in.  This causes a problem for the browser developer: how do you scale the vetting of these extensions?

Monday, November 30, 2015

Some Conseqences of An Inadequate Information Security Policy

Hey everyone - Information breaches are common nowadays.  It almost seems like we have grown immune to them.  They can happen for a variety of different reasons and can happen on purpose or inadvertently.  I want to talk about one that I stumbled across while pursuing through news articles, because I think it raises some interesting points.

Monday, November 23, 2015

On The "First" Linux Ransomware

Hey everyone - This is a little dated at this point, but I thought it would be interesting to talk about the first piece of Linux ransomware to make news.  Ransomware is somewhat old news on Windows, but this is the first time I have heard about it on Linux.  I suppose there is a first time for everything.  Let's discuss it.

Monday, November 16, 2015

Domain Fronting and You

Hey everyone - I was reading some articles, and I came across a paper on something called Domain Fronting.  I wanted to talk a little bit about it because it seems like an interesting way to hide in plain sight.

Monday, November 9, 2015

On The Security of the Linux Kernel

Hey everyone - This week, I wanted to talk a little bit about an article I recently read in the Washington Post about the inherent "insecurity" of the Linux kernel due to the attitude of its creator, Linus Torvalds.  I think the article is worth a read because I believe it touches on an interesting concept that I believe is one of the underpinnings of information security: the security of a system should not be determined by each of its individual parts, but rather, the security of those parts as a whole.

Monday, November 2, 2015

Credit Downgrade for Lack of Cyber Security?

Hey everyone.  I am a big proponent of consequences for those that shirk their responsibility to protect data that they collect.  It looks like S&P wants to hold banks accountable for loose information security practices.  Let's talk about it.

Monday, October 26, 2015

Two For One: Steam Link Root Access, WD MyPassport Encryption Vulnerabilities

Hey everyone! In this post, I wanted to talk about two interesting things I came across this week.  First, now that the Steam Link is shipping pre-orders, people have started to play around with it and see what it can do.  It looks like it is another embedded device running Linux.  That makes for some interesting possibilities.  Second, with encryption becoming more and more mainstream lately, more manufacturers have incorporated it into their products.  That does not mean they always do it right.  Let's get started...

Monday, October 19, 2015

Quickie: Yet Another Flash Zero Day

Hey everyone!  This will be a quick post, but I wanted to write something about the newest Flash vulnerability that has been a hot topic of discussion this week.  Trend Micro wrote up a short analysis of the vulnerability here, and you can check out the associated CVE here.

I have read a number of posts from people and websites (like this one) that say the best course of action is to uninstall Flash.  This is great advice if you do not visit sites that require Flash.  I always believe that if there is a piece of software installed on your box that you do not need, you should get rid of it.  Each piece of software installed on your box is a potential attack vector.  However, some financial institutions and corporate websites still use Flash, so uninstalling might not be an option for you.  What do you do then?

Monday, October 12, 2015

Vigilante "Malware"?

Hey everyone - I guess I could not stay away.  I will try to post something new when I can, but I do not want to sacrifice quality just to get something out.  I will try my best to post every week or every other week.

Today, I wanted to talk about an interesting article that I read about so-called "vigilante" malware.  The full article was written by Symantec, and is available here.  Allegedly, source code is available here, but I would take that with a grain of salt.   The malware is dubbed Linux.Wifatch and has actually been around since 2014 (and maybe as early as 2013).

Monday, October 5, 2015

Examining Linux Process Memory: Part 2

Hi everyone!  This is the final installment in our look at Linux process memory.  Before we dive in, I want to mention one thing.  Going forward, I think the cadence of these posts is going to change a bit.  Due to some things going on, I am going to try to post once every two weeks for a little while.  This blog is not my day job, so I can only spend spare time on it.

With that out of the way, let's pick up where we left off last week.

Monday, September 28, 2015

Examining Linux Process Memory, Part 1

Hey everyone.  This is the first part in a two part series where we will briefly examine reading process memory in Linux.  I was inspired by a tool that reads credit card track data out of process memory in Windows.  After I saw that tool, I wondered to myself how hard it would be to do something similar in Linux, but with Python.  In this part, we will talk about how we can access memory in Linux.  In the second part, we will look at a script that does similar work to the Powershell script linked above.

Monday, September 21, 2015

A Little Fun with Scapy: Writing a Port Scan Detector


Hey everyone! This week, I thought it would be fun to play around with scapy.  Scapy allows you to manipulate packets to do basic things like port scanning or host discovery, but also things that might seem strange at first, like send malformed packets.  You might want to do that if you were trying to test an application for vulnerabilities by trying to see how it would react to a corrupted packet or stream.  It is a really cool tool, and today, I am going to use it to implement a port scan detector.

Monday, September 14, 2015

Malware's Use of Legitimate Software

Hey everyone.  I was browsing the Internet when I stumbled across a couple of links that got me thinking.  In this post, we will discuss malware that leverages "legitimate" software to do its dirty work.

Monday, September 7, 2015

My Thoughts On "The Basic Principles Of Security and Why They Matter"

Hey everyone - I stumbled across this article entitled "The Basic Principles Of Security and Why They Matter."  I think it is a good read, and I wanted to share my thoughts on some of the topics raised in it.  So without further ado...

Monday, August 31, 2015

Examining Router Firmware

My last post got me thinking about whether the CSRF bug that sonar relies on in its example has been fixed. For this post, I decided to see if I could figure out the changes that Asus made to the firmware to determine if the sonar fingerprint might be affected by the bug.

Monday, August 24, 2015

WebRTC and Host Enumeration

Hey there everyone.  I know it has been a long time since I last updated this, but there has been a lot going on.  Between personal stuff, work craziness, the Windows 10 launch, and some other things, I have not had time to make a post.  Things are starting to die down a bit (hopefully), so my goal is to post here more often.

I was browsing /r/netsec yesterday when I stumbled across an interesting post: sonar - A Framework for Scanning and Exploiting Using Internal Hosts (link to source article).  This piqued my interest because it is a compelling way for a pen-tester (or malicious actor) to perform host enumeration inside of a network without having a presence inside of the target network.  The technique relies on the victim's browser being WebRTC enabled, so let's take a moment to talk about what WebRTC is and why we should care.  Then, we will talk about what makes Sonar interesting.  Finally, we will talk about some mitigations.

Wednesday, July 1, 2015

Setting Up Your Playground

This post is not strictly information security related, but it will help set the foundation for exploration going forward.  In addition to being passionate about information security, I am also passionate about systems architecture and figuring out how to put the pieces together to come up with a solution.

The question I needed an answer to was:

How should I set up my home lab?


New Blog, First Post

Hey everyone!  The purpose of this blog is to share experience and opinion about various topics in Information Security.  In my opinion, information security spans a number of different of topics and reaches from the depths of the datacenter to the keyboard in front of the user and beyond.  I believe that it is important that everyone with a stake in the security of information systems be aware of the threats facing systems and what mitigations are available.

Why Attack Zero?

Attack Zero is a play on the idea of "patient zero," or the first case of a condition, illness, or syndrome.  In incident response (one of the many aspects of information security), one of the goals of an investigation is to find the origin of an attack.  We will explore attacks on systems, the tools used to perpetrate those attack, as well as the philosophy of the attack.

I hope that this blog will be a vehicle for healthy discussion.  I do not pretend to have all of the answers, but I have a passion for learning and sharing knowledge. If you have any feedback, feel free to comment on a post.