Another Update

I went to Defcon last weekend, which was a lot of fun. The only downside is that I caught some sort of bug and am now sick.

The sniffling and coughing isn't too bad, I suppose... but I also apparently lost my voice. I haven't been able to speak above a whisper for a couple of days now.

Not exactly how I planned on returning from vacation, but I suppose between airplanes and crowded conventions it's not entirely surprising. (As usual, there's a 'Defcon Crud' that refers to getting sick at Defcon, not too different from the 'Kuwaiti Crud' we encountered flying to Kuwait. I'm sure it all has something to do with encountering different viruses/bacteria than what we're used to at home.)

Aside from getting sick, though, I had a blast. Saw some talks, a demo or two, got to solder a badge and pick some locks and bought some cool things. There was a Voting Village, which showed various voting hardware and had talks discussing cyber security for elections. Apparently local election officials have made a lot of changes since the 2016 elections. I won't take their word for it that things are necessarily secure, but I figure I at least need to look into it more before flat out saying it isn't.

There was also a Car Hacking Village, and an Industrial Control System (ICS) Village, and a bunch of other things that seemed interesting. I asked some questions and got some recommendations on books to read for further study (like the Car Hacker's Handbook. This publisher, btw, had a vending booth t the convention with all sort of intriguing titles.)

Oh, and got to see some relatives, who are amazing btw.

See, one of my aunt's has a stepdaughter that lives in the area. I don't think I've met her since I was like, idk, eight or something at my grandparent's 50th (or 40th?) wedding anniversary, though we've been facebook friends for a while and I know one of my other aunts and uncles visit her when they come to Vegas for his poker tournaments.

So I figured, wth, I'd let her know I was in town and we could do lunch or dinner or something. Apparently she then told some of my other aunts I would be there, and since they (and another uncle) were living in Arizona they decided to drive down and visit. My cousin kept this all entirely as a surprise, so I had no clue they were coming.

They showed up at the restaurant where we were, and my aunt asked if we'd mind sharing a table. Someone was recording me when they did this, and apparently my reaction was priceless. Like... I was totally not expecting to see my aunt there, and almost didn't recognize her. Then I was processing her request, which was really strange (who asks to sit at another group's table? Especially when there are plenty of empty tables?) and then it dawned on me who it was and...

Yeah.

So that was pretty awesome, and they stayed in town a couple of days so I got to hang out with them more after Defcon wrapped up on Sunday. (My flight left Monday, so I had a bit of free time.)

I also... well, I didn't end up gambling At. All.

Not even once. I didn't expect to win, or anything, but I thought I'd figure out how much I was willing to lose and do something. Just because it's, you know, Vegas.

But between the convention and visiting with relatives I just didn't really have the time. And that's okay.

I picked up a few gadgets, though it may take a while before I can play with them. Did you know that there were USB-C cables that look exactly like your usual charging cables, but that can be programmed to deliver some sort of malicious payload?

I figure I'll eventually use one of my old phones, configure some sort of keylogger program or something, and then see how it all works.

I don't have any intentions of using this sort of stuff outside my own home, but it's pretty hard to defend against things you don't even know exist, and I'm curious. Like, how would the malicious payload look on my phone? What does it take to recover the data?

What sorts of things could indicate someone's using this irl, and could I spot it if/when it happens?

Oh, and someone I ran into on Friday said she wasn't going to use her badge for another conference (the Diana Initiative, smaller and covering some of the same things but more focused on women in the industry), so she gave it to me. In some ways, the smaller convention was nice... less of a crowd at the lock picking and soldering villages, and it's nice to see other women interested in the things I am.

Lock picking, like some of the other stuff I mentioned, is not something I intend to use seriously... people say they do it more for the art of it? It just seems like a cool thing to know, and understanding how locks work is kind of neat. I don't claim to be any good at it, but I did pick up a set of practice locks - they increase in difficulty level, so once you master one you go on to the next.

I did do a stint with the Ethics Village, a part of Defcon put in by my local group. Sat in on a 'coffee talk' with Joshua Steinman, which was interesting.

There was plenty more to do and see. I didn't participate in any of the (many, many) Capture the Flag events, for example. And figuring out what's up with the convention badge is apparently a regular thing.

So plenty of things to do, lots of stuff to learn, and I had fun... even if I'm currently slightly sick and unable to talk.

Computing - Malware, Phishing, Etc.

I suppose I should do a quick recap of the scenario, such as it is:

Your business operates in a gated community, where the front office is the only 'address' the internet has. The front office routes all the messages it receives in accordance with the various rules and protocols it's told to use, forwarding most messages to the fulfillment center managing customer requests and the rest to various employee residences as needed.

Each building - the front office, fulfillment center, and residence - has a robot maid (called Rosie, in honor of the Jetsons). Rosie comes in all sorts of makes and models, and you can add attachments as needed. There's danger, though... as someone familiar with the particular make, model, and/or attachment may be able to program Rosie to act in unexpected ways. She may take pictures of the files in your filing cabinet, or make copies of all your letters and send them on, or set a particular window to receive commands from another location.

I want to discuss that process a little bit further. See, malware has two separate stages. There's the method of infection (the vulnerability that allows someone to install malicious software on your computer) and then there's the payload, which is what you want the malware to do once it's there. The payload has more to do with the attacker's intent, whether it's copying files or encrypting files until you pay a ransom or turning your computer into a 'bot' that checks in periodically for further orders.

Any method of delivering malware can be used for any of those purposes, and more. Different payloads will also give off different indicators that there's malware on your computer. If Rosie is communicating with a command and control center somewhere, there may be logs of that activity and ways to detect it... though you'd have to know how to spot it. (That's part of why I want to play with an IPS/IDS. See what it logs, what sets off an alert, etc.)

But the malware has to get to Rosie first, get through the firewall to her, and she has to read it and be affected by it.

There's a bunch of different methods for doing this, and I by no means claim that I know them all. I will say one of the biggest/best methods is to get someone inside the firewall to connect to you. Phishing attacks, watering hole attacks, and the like.

Phishing attacks, at least when someone is deliberately targeting a business, are not the laughable attempts you'll find in your spam folder. They probably did their research (the video I posted earlier has some great examples of this, though it was done after they were already in the network.)

They may look you up on Facebook, or LinkedIn. May try to figure out your home address, your pets names, your children's names. They'll try to guess your passwords and user name. They may go dumpster diving for any information they can use against you.

And when they craft an e-mail, it will be practically indistinguishable from legitimate mail. If they're trying to get you to install something malicious, they'll create their malicious software and find a way of wrapping it in something legitimate. If they say it's an ssh application, they'll attach it to the e-mail and it'll open and act just like an ssh application ought to. Or they'll add a link to an e-mail, but modify the address so that it goes to the computer they're waiting to hack you with.

They can apparently also use macros, and images, and other things. It's part of why they advise you not to let your e-mail give you a preview (since doing so involves opening the e-mail) and not to let it display images.

Or they research your company, and notice that a lot of your employees go to a specific website outside the firewall (to check the news, or stock prices, or sports... or even something work-related.)

So they set up a watering hole attack, using that website to launch an attack when your employees visit it.

Or they drop some infected USB drives in a parking lot, and wait for someone to find it and plug it in.

I'm still learning all this myself, but I've heard a couple of penetration testers say that they have never failed to penetrate the defenses of their target.

Think about that for a second.

Anyways, to bring this back to my analogy... let's say that a malicious letter was somehow wrapped up in a legitimate letter. It gets to your home through one method or another, and it goes straight to Rosie (unless it's caught by an anti-virus program before she can read it). If she hasn't been updated or modified since the vulnerability was found, then the payload is delivered and she follows whatever she's instructed to do.

Once Rosie's affected, she can also be used to send messages to her neighbors, affecting them as well.

Eh... I'm not too happy with this post, I feel like it didn't quite go where I wanted it to. But it's getting late, and I've got stuff to do tomorrow. Not sure how much I'll post next week.

A Video on Hacking

https://youtu.be/Ru7vpTSVyYg

Computing - Broad Overview of Potential Insecurities

Well, I got pfSense working, and installed The Security Onion. Kali is up, but not connected to the internet and I'm still working on that. (The guide had this thing called Afpacket bridges for trying to isolate networks, but I'm not sure I fully understand how that's supposed to work and the stuff I'm working with has been updated since the guide came out so the instructions are not quite exact.)

Anyways. I wanted to pull together some of what I've covered, and how it relates to computer security. This is going to be a mile wide and an inch deep. For everything I touch on there are measures, and counter measures (and counter-counter measures), so if something piques your interest definitely look into it on a deeper level.

I used the postal service analogy before, and I'm going to stick with it (and maybe even expand upon it when I get to the server side of things).

Picture the many, many ways a handwritten letter could be insecure.

Someone might be reading over your shoulder while you write it. Or they may enter your office and look at it before you mail it off. Or they may intercept it anywhere along the way and open it.

You can take countermeasures to protect your information of course - like writing the letter in code, for example - but our ability to 'sniff' traffic makes it ridiculously easy to read at least the mailing information on the outside of your envelope.

And certain websites may be so ignorant (or lazy) that they put sensitive information - like your username, password, or credit card information - right there on the outer envelope.

Wireshark is a tool that passively collects information on all the letters passing through an area. You can filter and search through that traffic for all sorts of information...

And btw, there are all sorts of tools that allow you to sniff traffic, whether over a physical wire or off the wifi. Such tools are not necessarily bad in and of themselves, it's just that they can definitely be used for malicious purposes.

Even if sensitive websites (like banks, or online retailers) use https, and have that little green lock on the top indicating all the messages are transmitted in some sort of cipher, if you use the same password on every other site all it takes is one insecure site and a hacker can find out what other sites you've visited and try using your password there.

That's not even including efforts to misdirect your mail to a fake website, or add malicious software to an ad on a legitimate website, or cross-site scripting (which I don't fully understand yet, but hope to get into in more detail later.)

Which means that there are multiple cases where your information can be stolen, well before you've even reached any particular website. Talking about what happens there is going to take way more work, so I'll get into that next time.

Computing - User Input, Web Applications, and Security

I found a marvelous source for creating the virtual environment I want, so I am happily configuring my virtual network environment. Or not so happily, as the case may be. Since software tends to update almost as soon as any guides are created, there's always a bit of fun to be had in figuring out how to apply the instructions to your actual system. (I got pfSense installed, and it can ping out, but I can't seem to access the website for configuring it from my laptop. Google isn't getting me the answer I want, as I keep getting hits for similar-but-not-quite-the-same problems. I wonder if the same would hold true if I created a VM on the virtual network?)

I've also been reading a rather excellent book on how hackers access information through a business's particular web site - The Web Application Hacker's Handbook, which explains so much about why/how security is so complicated these days.

The issue comes back, yet again, to user input. See, since computers use 1's and 0's for everything, the only way they know whether a sequence of 1's and 0's is supposed to be a number, or a letter, or a location, or an instruction is because of the context.

Most computer science programs will focus on teaching their students at least one programming language, in part to teach you programming logic. There are some slight differences (i.e. object-oriented programming and whatnot), but the basics are fairly similar.

It's the syntax that changes. Different languages have different ways of telling the computer when an instruction ends. And so in some languages we use a ';' to indicate the end of one line of instruction, so the computer knows when to stop. And if you go to your web browser and select 'web developer' or somesuch from the viewing options, you'll see the code for the webpage you are viewing. It will probably have something like <head> and </head> or <body> and </body> to indicate which text is part of the head, and should be formatted as indicated elsewhere for headers, and so on for the body. Note the closing '/' to indicate the end of a section.

It may seem overly technical to anyone not in computers, but bear with me.

A very common 'first program' in any language, is to print "Hello, World!" to your screen. In Java the particular line of code would be -

System.out.println("Hello, World!")

Running a program that includes that line will give you 'Hello, World!'. But let's say you want to add another line, "How are you?" You could enter

System.out.println("Hello, World! How are you?");

And the result would look something like "Hello, World! How are you?"

But what if you want it printed the second half to print on a new line (entering a carriage return, in old typing terminology.)

There's code for doing that, but the computer reads everything within the quotation marks as letters and prints accordingly. So you need an escape character, something to tell the computer "Hold up, wait. This needs to be processed differently."

In java, you can use the '/' as the escape character, so if you said

System.out.println("Hello, World!/nHow are you?");

It would print something like:

Hello World!
How are you?

Escape characters are actually kind of important, because that's how a hacker can tell the computer to process their input as commands rather than simple text.

I've only just begin to read the book on web hacking, but the first few chapters easily conveyed just how difficult it is to validate user input.

For example, a hacker might try typing <script> to do something (presumably start a script? Looks like the type of code you see in web pages, like those <header> bits, or xml code).

A business may code their application to remove all  <script> instances from user input. But what if they type in <scr<script>ipt>?

Now if you take out the <script>, it collapses the rest of the line into another <script>.

To add to the confusion, recall that every character can be represented by numbers (i.e. ASCII coding format)... so the hex number 27 can be read as an apostrophe, or 25 can be read as a %, 3c can be <, etc.

If you know what language is being used, and how the input is being read... to include the removal of certain characters... you can come up with a particular line of code that will get through all the filters and do something unintended.

Apparently, many businesses use multiple different tools to create their web applications. And if those tools use different programming languages, and react to different escape characters, then there's no one-size-fits-all way of checking user input for hacking attempts.

Relevant Article

I was clearing out my phone tabs (I tend to keep open interesting links that I want to review later) and found an article discussing how attackers these days rarely use bespoke malware. Fits in with what I've been saying about automating exploits and making it easy for anyone to hack a system.

Computing - the Internet, Cont.

I debated which way to go from here - in that I can go into much greater detail on how the internet works, or I can focus more on what really is relevant to the general user. There's all sorts of important things for a network engineer to know, but going into the OSI model or the alphabet soup of various protocols (EIGRP, BGP, OSPF, as well as the TCP handshake, SYN Flooding, and more) seems more likely to cause a non-technical person to get overwhelmed rather quickly.

So I'm going to talk about databases for a bit. It's relevant, I promise, and I'll try to turn it into a personal story of sorts.

When you grow up with technology, but not a techie - in my case, at least - you just sort of absorb odds and ends as you come across them. Databases have been like that for me, a topic that started impinging on my awareness about a decade ago.

It's not that I didn't know the term, or have some general sense of what it meant, but when a colleague of mine decided our reports would be easier to work with in a database rather than the excel files we'd been using, I started learning more about when and why their important.

And the key to understanding the most common type of database is to understand relationships. That is, if you wanted to create an excel file for customer orders you would probably have to enter in the customer name and address for every single time that the customer placed an order.

If it's in a database, on the other hand, you can have a customer table and an order table, and establish a relationship between the two (i.e. a customer id number). In the customer table you only have to enter the address once, but because it's associated with the corresponding customer id in the order table you can easily create a table showing all the orders that customer has placed. Including the mailing address.

Businesses use these all. the. time. That way you can have a table showing all your employees, and a separate table showing all the wages paid, as well as a table for all customers, and a table for all the orders they placed, and a table for all the bills charged to the customer... and businesses can run queries against that database to get the information they need. Like a history of all the orders a particular customer placed, or an aggregate of all orders from a particular region, or all the customers who owe the company money.

Although I've worked more with Microsoft Access than the big enterprise databases (Oracle, MySQL, SQLServer, etc.) but most have a similar structure for querying the data - Structured Query Language (hence the 'SQL' in the databases above).

SQL statements are actually fairly obvious when you keep them simple, though they can grow to be horrendously complicated. A basic query might look like this:

SELECT * FROM Users WHERE Name = 'foo' AND Pass = 'bar' 

It's basically saying you want to select everything from the Users table where the name is 'foo' and the password is 'bar'. (The * is a wildcard, it means select everything that matches the criteria)

So why is this important?

Well, websites these days are interactive. You don't just download a page and read what it says. You login - to check your bank account, or the news for a site you've subscribed to, to check your friends on Facebook, or post to Instagram, check your employee benefits, request time off, or any number of things online - and that login is generally used to find your specific information in a database.

When you go to a website, well... to use the postal service analogy, that site is getting thousands and thousands of letters a day, and it is passing your particular information to a warehouse (the database) that processes your request and sends back the information you wanted.

The website and database together have to a) keep track of your mail vs. all the other user's mail, so you don't have to send your username and password every time you send a letter and b) make sure that you only see your information, it doesn't send you someone else's response or let someone else see yours.

That means businesses operating over the internet generally have a way of tracking your session (that's where cookies come in to play, though it's not the only way of doing so) and some sort of system for authenticating you as the user and granting access to the information you are authorized to see.

And most of those have to deal with the exact same problem I listed when describing the buffer overflow - user input.

Relevant to Previous Post

Discusses attacks targeting the DNS infrastructure.

https://www.securityweek.com/warning-issued-over-attacks-internet-infrastructure

Article on Black Market Value for Hackers

https://www.securityweek.com/cybercriminals-promise-millions-skilled-black-hats-report

An Update and More on Computing

Someone gave me some advice on setting  up a home lab, so I was messing around with my own computers for a bit. I was thinking that if I set up my most powerful computer as a hypervisor (i.e. it can host virtual machines simulating other computers) I can connect to it from my laptop and mess around with it that way.

No news on the job front, alas.

I wanted to talk more about what happens when you surf the net, but first I wanted to say something about hacking. Hacking, btw, is more of a mindset than anything else, a willingness to look at the various tools in place and see the potential for unexpected uses. Sort of like the way Afghans would repurpose solar panels to suit themselves.  Anyways, that mindset can be used for both good and bad, but isn't inherently evil. Even though most people nowadays think of 'hackers' as criminals, it's not true.

It takes someone very knowledgeable about computer architecture, programming, and the like to exploit a vulnerability. We were supposed to do this as an assignment in one of my classes, and let me tell you, it was hard. Going back to my earlier post, such a skillset could be compared to a skilled man-at-arms back before guns became a thing. It took years of hard work and practice to become an expert swordsman, and the same goes for expert hackers.

With the power of programming and the ease with which we can copy and share information, a really good hacker can create a program to exploit a vulnerability, and then make infinite copies of that vulnerability. I used wizards and spells in my previous analogy because it seemed a bit more accurate than describing a gunsmith and the mass distribution of automatic rifles.

The knowledge and skills required to be a 'wizard' (or 'hacker') may create a limit, of a sort, on how much trouble they can wreak directly, but the ability to share anything they find means that anyone - even your mother, father, grandmother or grandfather - can conduct a cyber attack. I have come across a few vague articles talking about the criminal business model for such things, and it sounds like there are people hired to conduct attacks who probably don't know much more about computers than anyone not in the computer industry.  (So, really, not all cyber attackers have the skills to be a 'hacker'. I think the term I've heard people use for them is 'script kiddie'.)

Computing - Hacking, Buffer Overflows, Etc

I originally planned on going into networking a bit (i.e. what happens when you type something in the internet browser), but I decided it's probably more important to take a step back and discuss hacking.

Hacking, I've come to learn, doesn't necessarily mean anything malicious. It's more about a mindset... about knowing how the system works, and how to manipulate it in order to make it do what you want. Even if what you want was not the original intent.

But what does that mean, really? Well, early programs sort of took it on faith that people would use them the way they were intended... so most programmers didn't code ways of catching such errors.

A lot of programs are interactive - they ask us for our user names, or birthdate, or what our favorite fruit is, or what command we want to give to a character in a computer game.

And here's the thing - the programmer doesn't necessarily know what we're going to type. If it's asking for our favorite fruit, it could be 'apple', or 'banana', or something more obscure like 'jackfruit' or 'starfruit'.  The program has to be prepared for whatever we type in...

And sometimes, well... people make mistakes. Typos. They might be asked for their favorite fruit, and instead hit the 'ENTER' key without typing anything. Or accidentally type ap4le. Or bannnana. Or 42.

And sometimes, someone who knows the system very well can deliberately type in something else. For example, the program might have reserved enough space for whatever they consider appropriate for a fruit. Maybe there's enough space to type jackfruit_____ (giving extra room, just in case.)

But what happens if someone types in jackfruit_____gotomyvirus?

It's possible for everything past the buffer, everything past the space reserved for that user in put, to overwrite whatever happened to be at that location. It's still all in binary, of course. So it's as though the computer had said 011001010 and now says 010010110. But if that location was, oh, let's say instructions for the next step of the program... and the new instructions basically tell it to go to another location and run a bit of code that does something malicious (i.e. 'go to my virus'), then congratulations. Your program has a vulnerability that has now been exploited and used to launch a computer virus.

Computers only do what they are told to do, no more and no less. If it thinks a program is telling it to go to a location, it doesn't know that the command was altered... it just follows the instruction and goes to that location. And if that location includes a list of other commands, commands telling it to start a remote trojan that takes over your computer, or secretly record everything you type, or run a program mining for cryptocurrency, or check for orders from another computer and send multiple information requests to a designated website... well, it's just doing what the instructions said.

There are countermeasures, of course. Secure coding practices that check user input for things like this, and/or cut off anything that goes beyond the allotted space.

This also is just one example of a vulnerability, to give readers a sense of how it works.

(It's also just one area of this vast realm we call 'cybersecurity' that I'm interested in. Not so much finding those vulnerabilities and exploiting them - though there are people who make a living finding such things - so much as looking at a virus and figuring out how it does what it does. I think I'd have to set up a virtual machine, get some code I suspect is malicious, and then watch/monitor the actions it takes when it runs. I'd probably need something that breaks down those actions into machine language, and have to understand that language well enough to go looking for where the instructions are altered. Figure out where something is entered to overwrite what was supposed to be in the program and put in new instructions. And it'll look different for the various vulnerabilities, too. Plus there's an ongoing cat and mouse game to this. That is, anti-virus programs can identify sequences of 1's and 0's that indicate something malicious is going on, so hackers sometimes encrypt the virus or alter it on a regular basis so that it looks like something different.

I haven't gotten down into the weeds of this yet. Tbh I'm hesitant to start up my own 'sandbox' and risk infecting my systems if I do something stupid. I'd sort of prefer to know someone already doing this kind of work, and learn from them as much as possible.

I like the idea, though, and may just jump in and start messing around with it at some point. If I break something, well, I'll just have to learn how to fix it afterwards, right? It's just... there are tons of other interesting things to explore, as well!)