Career

Security Summer Camp  (BSidesLV, Blackhat and Defcon)  is the most important week in the security industry and as such you need to be prepared to network like a professional.

Here are 6 things you can do this week to get ready:

Freshen Up Your Social Media Profiles

Is your twitter profile picture 4 years old?  Does your twitter bio mention a meme from 3 years ago?  Do you have a blog that hasnt had a new post in 18 months?

Spend some time and do some basic upkeep on the social media channels you use and shut down the ones that you dont.

Get Some Personal Cards

It is 2016 and we should all be able to NFC our contact info securely to the person next to us in 10 seconds, but we cant.

You should invest in some  personal networking cards that you can hand to someone when you want to take that conversation about that amazing project they are working on from the Rapid7 party offline so you can really understand the technical details.

These just need your name, email and social media contact information (Moo.com is where I get mine). 

Plan Your Week

Seriously.

Sit down this week and decide which talks you want to see, who you want to meet and what parties you want to attend and be realistic about it.   Decide what is important to you and make sure you attend those things.

Defconparties.info  keeps the most up-to-date list of parties that are happening during security summer camp.

Dress The Part

Dinner at Carnevino with your favorite vendor and the pool party at bisdesLV require two totally different outfits.  You don’t want to be the jerk who shows up at the best steakhouse in Vegas in flip-flops or the jerk who goes to a pool party in a blazer.

You will need everything from workout clothes to your best “meeting with the VC firm” jeans and there is no way you are getting this all in a carry on. So pack like an adult and bring more clothes than you think you need.

 Let People Know You Are Going

If you want to meet with anyone at summer camp let them know this week that you are going.  Schedules get crazy and if you want someone to give you an hour of time you probably need to start playing calendar tag with them this week.

Polish Your Resume

You might not be looking for your next job when you head to Vegas but you should always be open to the right job.  You dont want to be scrambling around when someone wants to talk to you about the  <insert dream job title>  position at <insert dream company>.   Also a good time to make sure your linkedin profile is up-to-date.

Hacking, Security

We are two weeks away from Security Summer Camp (which is BSidesLV, Blackhat and Defcon)!

 

So it is time for everyone to write their annual blog posts about what you must do before you head out.  I want to be one of the cool kids so here is my list of 6 things to do before you pack:

Delete All The Saved SSID’s On Your Devices

A common attack that hackers like to do is spoof common SSIDs so that your device will connect automatically and start using their AP so they can capture all your information.   I actually wrote a script called mana-common  that spoofs the most common to demo this problem.

You should delete all the saved SSIDS on your devices to stop from falling victim to this attack.

Get A Hot Spot

Connecting to a hotel network at a Hilton in Little Rock is dangerous. Connecting to a hotel network in Las Vegas is reckless. Connecting to a hotel network in Las Vegas during Security Summer Camp is stupid.   You can pick up a mobile hotspot for about $25 a month.

Get A VPN

You could easily get a commercial VPN but if you want to go to the next step build your own streisand server or an openvpn server  and delete it when you are done with it.   It will help protect your data from anyone who may be snooping on you.

Change All Your Passwords (Before and After)

You should run your passwords managers auto-change feature before you leave for Vegas and when you get back just incase someone gets a hold of your account.  You do use a password manager right?

Turn on 2FA On All Your Accounts.

You should at a minimum enable 2FA on all your social media and  financial accounts before you head out. Twofactorauth.org has great information on how to configure your accounts to use 2FA.

PCAP All Your Traffic

This is the most paranoid of my tips but when I am at a conference I always PCAP all my data incase I do get breached I can hopefully figure out how or write a good blog post about it.

I wrote a blog post on doing this with docker earlier this summer so I now can run this to save the pcaps to my dropbox:
docker run -v ~/Dropbox/pcap:/pcap --net=host -d jgamblin/tcpdump

The truth is these 6 rules should be followed all the time if you want to have a decent operational security posture. OK, you might not need to PCAP everything, I am just paranoid…follow the first  and you will be ok.

Also while at Security Summer Camp drink plenty water, don’t sleep much and have fun!

 

Hacking, Security

While doing security research it is not uncommon for me to build and destroy between 20 and 25 cloud servers a week on Digital Ocean.

While there are great guides like:
My First 10 Minutes On a Server – Primer for Securing Ubuntu
My First 5 Minutes On A Server; Or, Essential Security for Linux Servers

I do not have the time to manually follow these guides on a server I may shut down in an hour so I have slowly been building a shell script to do a lot of this for me.

Now the first thing I do when I log into a box is:
curl -sSL https://raw.githubusercontent.com/jgamblin/quickinstall/master/quickinstall.sh | sh

Screen Shot 2016-07-13 at 8.20.56 AMThe script does the following:
Enables UFW and denies all inbound traffic except for SSH.
Sets the timezone to Universal Coordinated Time
Installs  Python, Ruby, nodejs, Docker.io, Fail2Ban and unattended-upgrades
Launches a PCAP docker container to capture all server traffic in a PCAPs.

While it is not pretty it does what I need:

#
#Install and configure firewall
#
echo -e "\nInstalling and configuring firewall\n"
apt-get install ufw -y
ufw default deny incoming
ufw default allow outgoing
ufw allow ssh

cat /etc/ufw/ufw.conf | sed 's/ENABLED=no/ENABLED=yes/g' > ~/ufw.conf
chmod 0644 ~/ufw.conf
mv -f ~/ufw.conf /etc/ufw/ufw.conf

#
# set timezone to Universal Coordinated Time
#
sudo timedatectl set-timezone UTC

#
# Upgrade installed packages to latest
#
apt-get update && apt-get dist-upgrade -y

#
#Install stuff I use all the time
#
apt-get install -y build-essential checkinstall docker.io fail2ban git git-core libbz2-dev libc6-dev libgdbm-dev libncursesw5-dev libreadline-gplv2-dev libsqlite3-dev libssl-dev nikto nmap nodejs python-dev python-numpy python-scipy python-setuptools tk-dev unattended-upgrades 

#
#Install Ruby
#
curl -L https://get.rvm.io | bash -s stable --ruby

#
#PCAP Everything
#
docker run -v ~/pcap:/pcap --net=host -d jgamblin/tcpdump

I will continue to build this out in this github repo .

Career, Hacking, Security

There has been a lot of talk about why you should use a VPN on public networks and why it shouldn’t be a commercial one.

I am a huge fan of  the Streisand privacy stack because it includes and  L2TP/IPsec VPN, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge all in one amazing package.

The problem with Streisand though is the install is amazingly complicated using  ansible from your local system to a cloud provider using API calls and if you are not in a shop that uses this technology it can be difficult to get working correctly so I have hacked the install simplified the install to install it directly on a digitalocean server (but this should work everywhere).

The steps are as follows:

Create a new  digitalocean Ubuntu 14.04 droplet named streisand with your SSH key.
The $5 droplet “works” but if you are not going to keep it running all the time (I wouldnt) I would spin this up on a $20 a month droplet when needed (say for a trip out of the country or to blackhat).

Run the following commands to install the prerequisites:
sudo apt-get update && sudo apt-get install -y git python-paramiko python-pip python-pycurl python-dev build-essential
sudo pip install ansible markupsafe dopy==0.3.5

Download and configure strisand with the follwoing commnads: 
git clone https://github.com/jlund/streisand.git && cd streisand/playbooks
sed -i 's/streisand-host/127.0.0.1/g' streisand.yml
sudo ansible-playbook -i "localhost," -c local streisand.yml
sed -i "s/localhost/$(curl -s ipecho.net/plain)/g" ../generated-docs/streisand.html
(This takes between 10 and 15 minutes to complete. )

Use streisand for safer internet: 
Copy generated-docs/streisand.html to your local machine using scp or just cat and paste (cat ../generated-docs/streisand.html) and it will have all the information you need to use your new privacy server on almost every device you own.  You can also share this information with your family or team as one server should support 4 or 5 users.
Screen Shot 2016-07-10 at 3.59.57 PM

If you trust me (and you shouldnt) here is a bash script to automate the install:

Career, Security

I worked with a consultant using the lair framework two years ago and since then I have been a huge fan of the project to manage pentest information.

Screen Shot 2016-07-08 at 8.03.22 PMTom Steele has done an amazing job with the project  but it has been a pain to install but thanks to Ryan Hanson and Docker you can now setup a lair instance with 7 simple commands on a clean (digitalocean) Ubuntu 16.04 install:

curl -sSL https://get.docker.com/ | sh
curl -L https://github.com/docker/compose/releases/download/1.6.2/docker-compose-`uname -s`-`uname -m` > /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
git clone https://github.com/ryhanson/lair-docker.git
cd lair-docker
docker-compose build
docker-compose up

From there you can start importing data with drones or entering it manually but with the installation bar lowered you  do not have a reason to not give this amazing tool a try!

Hacking

One of the tips that security professionals love to give is to use a VPN on public wifi networks.   This is great advice and  (I personally like PrivateInternetAccess and NordVPN). Recently I noticed nike.com blocks traffic from TOR and VPN providers:

Screen Shot 2016-07-06 at 6.36.19 AM

That got me wondering what other websites were  blocking traffic from these sources so I decided to test the Alexa Top 1000 websites.

First I needed to get a list of the Top 1000 websites.   To do this I used this line of command line kung fu that grabs a CSV of the top 1 million websites and puts the top 1000 in a urls.txt file:

curl -s -O s3.amazonaws.com/alexa-static/top-1m.csv.zip ; unzip -q -o top-1m.csv.zip top-1m.csv ; head -1000 top-1m.csv | cut -d, -f2 | cut -d/ -f1 > urls.txt

Here is the output from this command.

I now needed to automatically take a screenshot of 1000 websites.   I had started to write my own terrible python script using selenium until Chris Truncer pointed me to his amazing project called EyeWitness.

The command I used was:
./Eyewitness.py --web -f urls.txt

Screen Shot 2016-07-06 at 8.45.38 AM

During my first test using  PrivateInternetAccess I found  11 of 1000* blocked access with a 401/404:

hilton.com
nike.com
craigslist.org
tickermaster.com
tradeadexchange.com
blog-newstime.com
brightonclick.com
adnetworkperformance.com
kissanime.to
neobux.com
loading-delivery2.com

With craigslist.org, nike.com, ticketmaster.com and hilton.com being the most inpactful websites on that list:

This slideshow requires JavaScript.

I then ran the test again through tor (using the tor container I built) and found 40 of 1000* blocked access with a 401/404: :

adnetworkperformance.com
nordstrom.com
overstock.com
asos.com
prjcq.com
avito.ru
quikr.com
bestbuy.com
retailmenot.com
blog-newstime.com
secureserver.net
brightonclick.com
shopclues.com
craigslist.org
ticketmaster.com
expedia.com
tradeadexchange.com
foxnews.com
trulia.com
garmin.com
tube8.com
groupon.com
usbank.com
ticketmaster.com
irs.gov
usps.com
justdial.com
walmart.com
kohls.com
wayfair.com
lowes.com
hilton.com
whitepages.com
macys.com
xbox.com
newegg.com
zara.com
nike.com
zhihu.com

With many more asking for a captcha before gaining access:

http.amazon.com

Epilogue:  I play defense in my day job.  I understand the need stop malicious traffic from reaching your website.  This isn’t an indictment just an academic exercise although if more and more websites take this  approach tools like TOR and commercial VPNs will become less useful.

Final Notes: 
I was surprised at how many porn websites are in the top 1000 overall websites.
It takes 1.8 gigs of storage to screenshot the top 1000 websites.
*Your results will vary on what is blocked based on exit node,  VPN, time you test and what color shirt you have one.

Hacking

I had a 2014 Dell Chromebook 11 I was not doing anything so I decided to turn it into a stand alone Kali box using the Chromium OS Universal Chroot Environment.

The installation steps are pretty simple:

Add a l33t hacker sticker:

2016-07-04 08.00.52

 Enable Developer Mode (this will wipe the device).

 Login and download the latest crouton

Access the terminal by pressing:
CTL - ALT - T

Run the following commands:
shell
sudo sh -e ~/Downloads/crouton -r sana -t xfce

Go eat lunch (it takes about 30 minutes to pull down the image).

Hack (legally) all the things:
You have a couple of options on how to use Kali on  the ChromeBook.  The option I will use the most is just  the terminal option.  You can access it by typing: sudo enter-chroot -n sana

Screenshot 2016-07-04 at 09.40.02

You can also access a full gui by typing:  sudo startxfce4 -n sana

Couple of notes:
Kali-Rolling is working on crouton right now due to an abandoned package issue.  They are working on it.
The install of Kali is super light weight.  The meta-packages will be your friend when building your image.