Sunday 21 January 2018

OSCP

Soooo... after lot of hard work, and a lot of being told by other OSCP alumni to "Try Harder", I eventually made the grade third time round. This certification is easily the toughest I've ever taken. The amount of self study and practice required to pass is huge. Even after three exhausting full-length 24 hour exams, I actually regret that the whole experience is now over. The good news is that I now have a solid foundation on which to build my own further study and research into pen testing, and no intention of stopping. Pen testing is officially a hobby for me now, but I will be taking a year out from any such studying. The drain on my personal has just been too much, going into OSCP straight after an MSc. Give me a year out and I will look at the next step on the OffSec training ladder, which I believe is OSCE or OSEE.

Thursday 16 March 2017

Qualifications, Certifications, 24 Hour Examinations, Oh My!

It's been a while since my last post. There is so much I could write about but simply haven't found the time. So instead, here is a moderately rambling personal update.

First of all, I neglected to mention that last year I finished my MSc in Cyber Security at Northumbria University and graduated with distinction. Only 4 people out of 20 passed the course, and only one with distinction. Did I mention that might have been me? This is a big deal for me personally and I feel smug and proud to the point that I'm going to take a moment to just sniff my own fart...

OK I'm back. I just submitted a revised version of my thesis as a chapter for an upcoming springer book publication on Cyber Threat Intelligence. If it is accepted, then next steps in this area will be to pick up development of my adaptive tor traffic associations algorithm where I left off.

To add to my CEHv8 certification and my MSc, I've also just signed up for 3 months of lab time for my OSCP. This culminates in a 24 hour examination, in which the objective is to use kali linux to perform a penetration test of an environment, find as much as you can, and produce a pen test report. A 24 hour exam?! WTF man. You know people have been known to die from starting at a screen for 24 hours right? I hope and imagine that there will be time for the odd power nap here and there while waiting for scripts to run, hashes to be cracked etc.

Exciting stuff.

I've had some great exposure to a number of credential harvesting phishing attacks recently, which have really opened my eyes to how brazen these cyber scumbags are prepared to be. How the fuck do they get away with this stuff? "Complete lack of attribution on the internet", and "refusal of service providers to cooperate in investigations and takedown requests" is my conclusion based on observations.

In my recent excursions into the dark web, I found some neat stuff and made a few changes to my opsec. Maybe I'll write this up in a separate post in the not too distant.

Oh... finally, books I'm reading at the moment:


  • Thinking Fast and Slow by Kahneman. This is awesome beyond words but repeatedly mind blowing. Like every couple of pages on average, I need to stop and try to digest what I've just ben told and try to make sure I don't forget it. This makes it quite an exhausting and time-consuming read, at least for me. Highly recommended. Based on my current reading pace, I might have finished reading this in the next two or three months so will write up some thoughts then.
  • Ghost in the Wires by Mitnick. It's not going to win any prizes for great writing, but the story is very compelling. It's a great introduction to social engineering, and just how much security is reliant upon people not falling for confident individuals with the gift of the gab. I'm not finished so can't offer a proper critique. But it's easy and fin reading for when my brain has had enough of Thinking Fast and Slow.

Stay safe people.



Tuesday 1 November 2016

Drivedroid - Nethunter - OnePlus One

So I've had some issues with drivedroid being unreliable booting a Toshiba laptop into tails / kali / etc. recently. The BIOS would recognise the device as connected, but just would not boot, effectively skipping the emulated CD or USB and going straight to HD or LAN.

Turns out, something has to happen to kick the USB host into action. I'm still experimenting, but if you are having similar issues, try running the nethunter custom scripts for "WLAN1 monitor mode", Y-Cable Charging, or wifite... you don't have to have an external wifi connected, just run the script.

It will of course fail. But, try drivedroid after doing this and you might find it works, as it did for me.

Monday 24 October 2016

Referer Spam

So I noticed some interesting referral URLs in my access stats that are serving malicious redirects. It seems that legitimate sites have been found to be vulnerable to open redirects, and that some bot or other is simply visiting websites while setting the referring URL to be the vulnerable page. Then when unsuspecting webmaster clicks through to see why their page is linked to from said site, they are greeted with some delightful porn, or maybe even some tasty malware. Example URL:

http:// www dot dolcifirme dot com dot au/scripts/redir dot asp?link=http:// dkmhab dot xyz

Nice one, spammer scum, and thanks for giving me something to write about, not to mention a great example to talk about next time someone asks why open redirects are such a big deal.

I owe you one!


Saturday 22 October 2016

Tao of Cyber Part I

Into a soul absolutely free
From thought and emotion
Even the tiger finds no room
To insert his fierce claws

Interpretation: The tiger in this case is the cyber criminal. Your personality is your vulnerability. Your likes, dislikes, interests, pet hates, your emotional response to events, emails, phone calls, physical interactions, incidents, and conversations. Even the people you know and care about, work with, or love, expose you to a potential for social engineering, either directly or by association.

Unless you are a recluse, hermit, self-loathing, bipolar, split-personality schizophrenic, or psychotic, drug addicted social reject, you will not be able to free yourself from this vulnerability. Even then no one is immune.

Taoism might be able to help, but true dedication to the path to enlightenment is incompatible and irreconcilable with modern day life. So how do you go about protecting yourself from social engineering while still having a "life", in the 21st century sense? For me, this is not always straightforward.

From my experience, there are likely several stages of a career in Cyber. These stages can be visualised as a diminishing sine wave, with an Y axis of "paranoia".

To begin with, you will no doubt see things in your line of work that open your eyes to the techniques that cyber criminals use. This will make you paranoid for a while.

Later, you will see how careless and dismissive the general population are in their online habits, without any negative repercussions. This will make you relax somewhat, perhaps too much. Perhaps you will rationalise the reduced security as operating appropriately within the current threat landscape, or level of risk.

Inevitably, you will see some bad shit go down, affecting real people, maybe some people that you know, maybe even you. This will send your sine wave back up to a heightened level of security again.

Over time, you might realise that actually, the repercussions of that last incident didn't really affect people too badly. Within a few months, everyone stopped talking about it. And no one died. This will help you to relax again.

Eventually, you will find a baseline of secure practices that are not so difficult to live with, that you can get used to and make part of your daily operations. This might include the use of multi-factor wherever possible, a password manager with unique passwords on all sites, using pseudonyms on facebook, sticking camera lens covers on your devices, using Tor for sensitive browsing or security research, regularly checking your credit report, signing up to haveibeenpwned, etc.

You will still be wondering if you are doing enough... should you also be using a VPN with Tor? Should you configure a VPN gateway at home for streaming video sources? Should you encrypt your disks at the expense of performance? Do you establish and regularly test an emergency secure data destruction procedure?

If you're not buying or selling drugs, viewing or distributing illegal porn, offering DDoS or hitman services, then the extra effort of such measures is probably unnecessary.

But you must still be aware of these procedures, because you might find that you do need them one day and, of course, they are also the methods that your adversaries will be using.

To conclude with a real life rationalisation of the opening poem excerpt: we are only human. Very few of us go to the extremes necessary in the pursuit of enlightenment, thus sacrificing what makes us human. You must do what you feel is right to protect yourself in your world. Not everyone becomes celibate, carries a gun, or studies martial arts to extreme levels in order to defend themselves against a gang of drug dealers, or a state-sponsored hitman. Likewise, not everyone implements secure online practices to a level that would protect them from a determined cyber attacker or opportunistic cyber thief.

You only need to be secure to the extent that makes you feel comfortable, and that is the end of the matter. When you, or someone you know suffers a cyber attack, you might decide to up your game a little bit. And so your sine wave of paranoia propagates.

Of course, working and researching in cyber leads to an increased risk profile, and increased baseline level of paranoia. You really should practice what you preach, because it doesn't look great for a security professional to suffer a security breach.

Sweet dreams!

Sunday 15 May 2016

Paranoid Ramblings One : ISP Monitoring

Working in Information Security opens your eyes to some of the questionable activities that are undertaken by a range of threat actors. The most difficult thing is to not become a nervous wreck as a result.

This is the first in a (probably) ongoing series of thought experiments to rationalise some of these threats and what they mean for me, and maybe also for you.

To understand the techniques that malicious entities might try to use against me, my employer, or people that I know, I inevitably like to try these things out for myself sometimes. This includes playing with tools such as nmap, zmap, nping, recon-ng, the social engineering toolkit, metasploit, Mana, Karma, BDFProxy, WiFite, Tor, SQLMap, etc. etc. etc. the list is simply too long. Most recently, thanks to my MSc final year project, I have been increasingly experimenting with Tor, scapy, and MITMProxy.

All of this toying and experimenting has never resulted in a complaint, although it has always occurred to me that my ISP might find some of the traffic emanating from my location increasingly questionable. I have read stories online of people's internet being disconnected due to using nmap too aggressively, for example, and so the possibility that this could happen to me has always been at the back of my mind. I do make use of Tor and various VPN's when testing out certain tools, but I have never made an all-encompassing effort to go completely "dark".

Two weeks ago, my internet connection slowed right down. It's never been that amazing, typically achieving between 8-14Mbps down and 2Mbps up. Around 2 weeks ago it slowed down to around 3Mbps down. I didn't have the time or energy to take this up with my ISP. Around a week ago, my download speed dropped again to around 1Mbps. Today I thought enough was enough so I called them. They were incredibly helpful and ran a number of line tests, and stated that they had found a fault on the line, which would require an engineer to visit somewhere (not my house) later in the week to correct the problem.

Immediately, my line speed increased to 3Mbps.

So, with my tin-foil hat lying somewhere else in the house, my paranoia metre begins to register some activity.

I suppose it is possible that my IP address has been flagged as sending suspicious packets for a long enough time now that I have ended up on some kind of "high risk" list. And perhaps the ISP process is to, rather than just disconnect their users, throttle their connection until the customer gets in touch to report a problem, thus getting confirmation that they have the correct customer. Maybe they occasionally take the step of sending an engineer to physically separate the high risk users from the main customer base to make their monitoring easier and reduce noise from lower risk customers. Perhaps, nah, surely not... perhaps they alert suspicious activity to higher authorities so that they can have their agents patch high risk users through to other monitoring systems for closer inspection, with minimal noise.

Perhaps it was just a fault on the line.

This certainly isn't the only thing that I wonder about. Trying to guess what other people's intentions are (mostly at work) takes up an increasing amount of my thought time these days, which can be exhausting. I wonder, do all Information Security professionals have this same level of paranoia?

In any case, I have spent enough time pondering this now. Any excuse for a distraction from wrestling with shadow-tor, python, graphml generation, and pcap inspection! I'm sure I have enough evidence that I'm a researcher and not a criminal in case I ever get a knock on the door.

Back to work!

Friday 6 May 2016

Password Auditing - A Word of Advice

Here is a piece of free advice:

Next time you decide to run a password audit against your company out of the goodness of your own heart to try and educate users or the organisation about password practices in the org, do yourself a favour: run as fast as you can face-first into a brick wall instead and remind yourself that this was less painful than convincing users to not do stupid things. Then ask yourself if you still want to proceed.

If the answer is still "yes", then consider taking this approach:

Only look for the truly daftest of passwords. Don't try and put any actual effort into guessing what users passwords are, because [spoiler alert] you will succeed. 

Two-factor is the only way to save the general populace from their own laziness / stupidity / ignorance / stubbornness. If someone wants their password to be "Jessica1987!", then maybe you should let them. At least it is not "Pa55word". Combine their shitty password with MFA and you are probably doing the best you can to protect your organisation, unless you work for the bank or government.

Even taking this simplified approach, be prepared for a world of pain while you try and find someone to take ownership of the several hundred or more accounts that no one remembers what they are for.

Happy hunting!