Cybersecurity Podcasts

I was recently asked to give recommendations for Cybersecurity Podcasts to students in college that are majoring in Security. The usual problem with security podcasts (and podcasts in general) is that they frequently become static and in some cases a year or more goes by before they are updated.

There are actually a large number more of Cybersecurity related podcasts than what I have listed here, but these should keep your mind update enough without getting overloaded.

 

Here are some of the main ones that I know that are kept up to date.

Threatpost Security Podcast

Breaking Security Podcast

White Rabbit Podcast

Security Weekly

Defensive Security Podcast

OWasp 24/7 Podcast

Risky Business Podcast

Building Metasploitable 3 on Ubuntu/Debian

Recently I attempted to build the new Rapid 7 Metasploitable 3 VM for use in my pentest lab on Ubuntu 16.10. Followed the instructions on their Github page to the letter, but failed in variety of areas. The good news is that I was able to hack my way through all them to get it built. This blog entry is going the steps you need to take to successfully build the VM on a Ubuntu/Debian based system. I’m assuming you may run into similar issues on a Fedora-type system, but your mileage may vary.

 

Packer

No issues with Packer, beyond just installing it with: sudo apt-get install packer

Vagrant

First you to need to install Vagrant: sudo apt-get install vagrant

Second, you before you can build the vagrant-reload plugin, you need to install the ruby-dev package with:

sudo apt-get install ruby-dev

Now you can install the plugin with: vagrant plugin install vagrant-reload

Due to the dependency upon WinRM and with the Vagrant version in the Ubuntu/Debian repo you will need to install:

vagrant plugin install winrm --plugin-version 1.8.1
vagrant plugin install winrm-fs

The 1.8.1 version is key in order for the build to complete successfully.

Metasploitable 3 Build Script

The Metasploitable 3 build script has some checks that fail due to the latest version of Virtualbox that’s in the Ubuntu/Debian repo. The main reason is they are checking for a specific version of Virtualbox and since with Ubuntu/Debian your running a newer version than what the build script requires, it fails.

Since we know we already have the necessary dependencies built, we can just run the build commands manually:

TMPDIR=/home/tmp packer build windows_2008_r2.json

The TMPDIR directive was another gotcha as I only had 1GB of space allocated to my /tmp filesystem and the process ran out of space. Point the TMPDIR variable to a path where you have enough space.

Now we can create the Vagrant box with:

vagrant box add windows_2008_r2_virtualbox.box --name metasploitable3

And then start it up with just: vagrant up and your good to go.

Happy Hacking!

Security Links for March 2016

SecureCode_product offering Here are some new security-related (for the most part ;) links from the month of March 2016

Bitcoin Wisdom – Trading-type Terminal for Bitcoin – https://bitcoinwisdom.com/

Zone Transfer Tutorial – https://digi.ninja/projects/zonetransferme.php

Debian Hardening Wiki – https://wiki.debian.org/Hardening

Standard Password Manager for UNIX – https://www.passwordstore.org/

Is your Browser safe against tracking? – https://panopticlick.eff.org

Have I been Pwned? – https://haveibeenpwned.com/

CryptoPals -Cool CTF for Crypto – http://cryptopals.com/

Nice Tool to Tell What CMS A Site is Running – https://whatcms.org/

A simple SSL/TLS proxy with mutual authentication for securing non-TLS services – https://github.com/square/ghostunnel

Find out if a site is down globally – http://www.downforeveryoneorjustme.com/

DNS Zone Transfer Tool – https://github.com/stryngs/axfr-tools

Nice Coding Guide for N00bs – http://download-mirror.savannah.gnu.org/releases/pgubook/ProgrammingGroundUp-1-0-booksize.pdf

Ransomware seems to be popular these days. Here’s a site that tracks the variants – https://ransomwaretracker.abuse.ch/tracker/

Need I say more? – http://www.routerpwn.com/

Security Links for February 2016

SecureCode_product offeringMade a blunder on the droplet that runs this blog on Digital Ocean and lost the previous two security link blogs. Luckily had a backup from August that I was able to restore from. Anyways, here’s the security links for February 2016.

Application Security Learning Resources – https://github.com/paragonie/awesome-appsec#application-security-learning-resources

A Dead Simple TCP Intercepting Proxy Tool Set – https://www.praetorian.com/blog/trudy-a-dead-simple-tcp-intercepting-proxy-mitm-vm

Let’s Encrypt Audit – https://community.letsencrypt.org/t/independent-audits-of-lets-encrypt-finished/6518

Introducing the Keybase filesystem – Sounds like a sane approach to encrypting data at rest – https://keybase.io/docs/kbfs

Securely Hash Passwords – https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords

An Interesting Online Scanner – https://www.censys.io/

Another Attempt at Creating a Secure Linux Distro – https://www.parabola.nu/

An open-source network simulator/emulator hybrid (Tor & Bitcoin) – https://shadow.github.io/
For Encrypting/Decrypting Data on the Fly – https://encipher.it/

Red Team Field Manual – http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504/ref=pd_bxgy_14_3?ie=UTF8&refRID=19V4X7X4WW7215V446N7

Decentralized DNS 
for Blockchain Applications – https://blockstack.org/

Github Bounty Program – https://bounty.github.com/index.html#open-bounties

Send An Urgent Message to a Friend When your in Trouble (i.e. Feds are knocking at your door) – http://www.snapmailemergency.com/

Get your cheap exploits here – http://cheapbugs.net/#home

Educating Youth for Cyber Security Careers

security-icon-01This past week I attended the Northeast Ohio Cyberconsortium conference sponsored by a number of entities in the Cleveland,Oh area. The goal of the conference was to stimulate a collaborative effort around building up and sharing information around Cyber Security as it relates to the North East Ohio area. One of the main talks was about the skills shortage in Information Security and what should be done to increase the talent pool. The proposition(they loved throwing this word around) offered was to build educational programs in the school systems around Cyber Security at as early of an age as possible. I think the NSA said that they get the gifted ones as early as 3rd grade and for security we should consider preschool.

The goal is an excellent ones, but the reductionist attitude offered presents a number of challenges. The one problem is that you simply cannot teach Information Security as an isolated discipline. There are a number of prerequisites that are necessary before you can even start to teach kids security. To name a few:

  • Computer Architecture – X86/X64/ARM
  • Operating Systems – UNIX/Windows/OSX/Android/IOS
  • Programming – Powershell/Python/Perl/Bash
  • Networking – TCP/IP, OSI, Ethernet, Wifi
  • These are all complex domains by themselves and then add on to that the various security principles that need to be applied and you can see it’s not as cut and dry as you may think.

    Then there are the ethical challenges in that to really understand how to secure things is you have to understand how to break things. This will no doubt create dilemmas with existing school policy and what the kids can currently do with school equipment.

    So I think what really needs to happen to make this achievable is a complete rewrite of existing educational plans. I think a structure more like college should be implemented where kids that are interested in a given domain like Cyber Security can elect to make it their ‘major’ and by doing so a specific roadmap would be produced for their educational career.

    The other thing to keep in mind is not all kids will be interested in such a field nor have an aptitude as you need to think about problems in a very detailed and logical way and not everyone’s brain is wired this way.

    Let’s Encrypt Talk @ Debconf15

    ssl1-150x150At this years Debconf15, a nice overview of the Let’s Encrypt project was given that you can view here. It’s a nice exposition as to the current broken state of CA’s and the projects plan to solve them. Let’s Encrypt is going to be making free certificates available in the next month or so.

    Will this be a game changer for commercial CA’s that make their profit off of selling certificates? Probably not in the short term and a large part of the answer will depend upon adoption and getting the Root & Issuing CA’s added to the trusted browser stores.

    Security Implementations & Scaling

    SecureCode_product offeringI have been doing Information Security for a decade and a half and there is a disturbing pattern that still to this day has not abated. That pattern involves more of a philosophy than the actual scaling you would need to for designing a security solution for an organization. The scaling law I’m talking about is one that is usually recognized too late in the implementation process, namely the post-production phase of a project.

    What I’m referring to is the amount of output you have to deal with that is a result of implementing a security solution without considering the resources necessary to manage and the resulting business process that need to accommodate this reality.

    One of the best use cases that demonstrates this phenomena is around the implementation of a Data Loss Prevention (DLP) solution for an enterprise. A typical DLP solution usually involves three main areas:

  • Data in Motion – Data that traverses the network
  • Data at Rest – Data that is stored on disk
  • Endpoint Data – Data that typically is read and written to removable media
  • You have a number of approaches you could take. The most reasonable would be to focus on one of the three areas that consider was vital and to scale the scope of the inspections to very specific set of criteria. Is this how most DLP deployments go? No, instead usually all three are turned on at the same time and there is no scaling back of the criteria.

    The result; more incidents and false-positives than fleas at the Westminster Canine convention. Once this scenario is encountered you end up scaling back your efforts and loss at least 3 months of progress. So do yourself a favor when implementing a security solution and understand what our outputs are before they are produced.

    Python Script for Searching ExploitDB

    biblical_apologetics_degree_wide

    So I was looking to cleanup my Twitter favorites list and starting with the oldest one that was dated from 2011, it was from an article for using a Python script for searching the local ExploitDB instance on Backtrack.So of course it peaked my interest and click on the source link directed me to a parked domain. Common problem with Open Source tools. After performing some Google-Fu, I found a copy and downloaded it to my Kali instance and of course it didn’t work as the path for the ExploitDB path has changed.

     

    So after a trivial change of pointing it to the correct path, bingo, it works.I have created a ‘Kali‘ repo on my Github if you want to grab it and I’m probably going to be making some updates to it over time.

    2013 Security Reading List

    reading_owlDuring the second week of December I realized that our group had not used their 2012 training budget. Realizing that there was not enough time to get a formal security class under way before the end of the year, I suggested to my manager that our group use the funds to order security-related books. He gave us the green light and behold the list below. Goal is to finish them by December 31, 2013. We’ll see what happens.
    Continue reading