My Security Summer Camp Talk List

Security summer camp is about a week away so I spent some time this afternoon trying to figure out what talks and events I want to make sure I attend.
BSides Las Vegas:
A Day in the Life of a Product Security Incident Response Manager
From SOC to CSIRT
Hadoop Safari : Hunting For Vulnerabilities
Introduction to Reversing and Pwning
YARA-as-a-Service (YaaS): Real-Time Serverless Malware Detection
Abusing Webhooks for Command and Control
BSides Las Vegas Full Schedule

Blackhat:

Breaking Electronic Door Locks Like You’re On CSI: Cyber
Free-Fall: Hacking Tesla From Wireless To Can Bus
Blackhat Full Sechedule

Defcon 25:

Meet the Feds (who care about security research)
There’s no place like 127.0.0.1 – Achieving reliable DNS rebinding in modern browsers
Wiping Out CSRF
Real-time RFID Cloning in the Field
Exploiting 0ld Mag-stripe information with New technology
Secret Tools: Learning About Government Surveillance Software You Can’t Ever See
Next-Generation Tor Onion Services
Using GPS Spoofing to Control Time
Cisco Catalyst Exploitation
Defcon Full Schedule

Other Events:

IOACTIVE IOASIS
ShabbatCon
Defcon Parties List
 

Quickly Building A Cloud Virtual Lab

Often while doing research I need temporary access to a bunch of different virtual machines. While it is possible to do this on my Macbook using VMWare Fusion or Virtualbox the overhead seems unnecessary for something I will delete in under a week.
My goto solution is a virtualization stack of:
16GB DigitalOcean Droplet + Wok + Kimchi
Here is the shell script I use to build it:

#!/bin/bash
apt-get update &&  apt-get upgrade -y
apt-get -y install qemu qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils nginx python-cherrypy3 python-jsonschema python-m2crypto nginx python-ldap python-psutil fonts-font-awesome texlive-fonts-extra python-configobj python-parted sosreport python-imaging websockify novnc nfs-common python-ethtool open-iscsi python-guestfs libguestfs-tools spice-html5 python-paramiko
wget http://kimchi-project.github.io/kimchi/downloads/latest/kimchi.noarch.deb
wget http://kimchi-project.github.io/wok/downloads/latest/wok.noarch.deb
wget http://kimchi-project.github.io/gingerbase/downloads/latest/ginger-base.noarch.deb
dpkg -i wok.noarch.deb
apt-get install -f -y
dpkg -i ginger-base.noarch.deb
apt-get install -f -y
dpkg -i kimchi.noarch.deb
apt-get install -f -y
reboot
#You will need to know the root password for the web interface (passwd lets you reset it).

After the server is rebooted you can access the web interface at https://ip:8001:

The next step is to add the templates you want to build VMs for:

You can use these commands to grab newer isos (there is a feature request to automate this):

cd /var/lib/kimchi/isos
wget -c http://cdimage.kali.org/kali-2017.1/kali-linux-2017.1-amd64.iso
wget -c http://releases.ubuntu.com/17.04/ubuntu-17.04-desktop-amd64.iso
wget -c http://releases.ubuntu.com/17.04/ubuntu-17.04-server-amd64.iso
wget -c http://releases.ubuntu.com/16.04/ubuntu-16.04.2-desktop-amd64.iso
wget -c http://releases.ubuntu.com/16.04/ubuntu-16.04.2-server-amd64.iso
wget -c ftp://opensuse.mirrors.ovh.net/opensuse/distribution/13.2/iso/openSUSE-13.2-DVD-x86_64.iso
wget -c http://slackware.mirrors.ovh.net/ftp.slackware.com/slackware64-14.2-iso/slackware64-14.2-install-dvd.iso
wget -c http://archlinux.mirrors.ovh.net/archlinux/iso/2016.09.03/archlinux-2016.09.03-dual.iso
wget -c https://download.fedoraproject.org/pub/fedora/linux/releases/25/Workstation/x86_64/iso/Fedora-Workstation-Live-x86_64-25-1.3.iso
wget -c https://az792536.vo.msecnd.net/vms/VMBuild_20150801/VirtualBox/MSEdge/Windows/Microsoft%20Edge.Win10.For.Windows.VirtualBox.zip

Once you are done with that is is amazingly easy to spin up VMs and manage them in the browser:

I use this virtualization stack a lot in my research and it is amazing.  If you have any questions feel free to reach out to me on twitter.

Easily Check Certificate Transparency Log

Certificate transparency logs are an amazing way to get a good overview of your certificate landscape, detect fraud (bad guys also use TLS) and find shadow IT and unknown cloud services. The problem is that there are not many good places to search these logs.  The best I have found is from Symantec, although it is slow and errors out often but it works for what I need.
The best way to get the data from this service I found is with this simple bash script I put together that runs a curl command and downloads a .csv.
Running is is as simple as:
./ctlog.sh yourorgsname
https://gist.github.com/jgamblin/8b34ba91825a8c2859720033bfe81da8
The output should look like this:
(If it is blank the service likely timed out and you will need to rerun it.)
Unless you are really on top of your game you are likely to find a valid certificate you didn’t know about.

Early Lessons Learned in Car hacking

Ever since Charlie Miller hacked a Jeep while it was driving on the interstate I have wanted to learn more about Car Hacking but really had not had a chance to get started with it until a month ago when I ordered a Carloop and was ready to get hacking:

… or so I thought.  Turns out car hacking is hard… like, really-really hard. While I have not “hacked” anything yet I have learned some early lessons:

Once you get the basic setup down you will spend a lot of time in your driveway and garage doing this:

“Car Hacking” is fairly new and you will likely not find a lot of information about your car online and will have to decode (and hopefully share) a lot of the information you find.  Reddit and Twitter have some fairly active discussion groups.
Car Hacking so far has been an amazingly fun project and there are amazing new tools coming out all the time.  I just backed Macchina on KickStarter this week and would like to pick up a canb.us.  I am sure my car hacking tool kit will continue to grow.
I will be blogging more about my adventures into car hacking over the next couple of months as I learn more and have more to share.

Insta360 Nano

I was lucky enough to get a hold of an Insta360 Nano this week and it is some of the most amazing technology I have seen recently.  It allows for truly instant 360 photos, videos and timelapse captures.  As one of the people I was showing it to this week said it is the “selfiestick of 2017”.
Here are some examples of some of  the stuff I captured this week.
Photo:

Time Lapse:

I am really looking forward to taking it to the RSA conference and London next month.

Port Scanning Through TOR

Scanning a host with Nmap is a fairly routine act for some in security to do but you from time to time you want to either get a different view of a host or try to  conceal your public IP.  In this case I use this simple “trick” to run an nmap scan through TOR.
To do so you need to make sure you have nmap, tor and proxychains installed on your machine.
The simplest way to install these tools on ubuntu is with this command:
sudo apt-get update -y && sudo apt-get dist-upgrade -y && sudo apt-get install tor nmap proxychains -y
Once that is complete  proxychains nmap +options +target will  run your nmap scan through the TOR network via proxychains. In this example I ran proxychains nmap --top-ports 10 -sT -PN -n -sV 50.87.249.69 against my blog:

A couple of protips:

  •  This method is slow. You will want to know the hosts and the ports (-top-ports 10) you want to scan and scope limit as much as possible.
  • This *isnt* 100% anonymous.  While using proxychains and tor will give you a basic level of anonymity its not irreversible.
  • Wear mittens when it is cold outside. 

Grizzly Steppe IP and Hash Analysis

Yesterday US-Cert released information on GRIZZLY STEPPE  the malware used in the DNC hack.  The IP and hash information provided by the US-Cert was really lacking  so I decided to dig through it and see if I could make more of it.
The first thing I did was to run the  IPs through an ipinfo2sheets spreadsheet I put together earlier this year and got way  better data:

Once I got more data for the IPs I noticed that it looked like there were a lot of TOR exit nodes on the list.  So I cross referenced the IP addresses from the US-Cert against the TOR exit node list and 21% (191 of 876) of them were TOR exit nodes:
From there I decided to map the IPs on a google map to see where they were all located:

Next I looked at the hashes and this morning VirusTotal says that only 28% of AV detects the Grizzly Steppe files:

I put a copy of this spreadsheet here.

Overall after spending a few hours looking at the Grizzly Steppe data it is disjointed,  ambiguous and really doesn’t provide any actionable data for most companies.

DIY USB Killer

In November I saw this youtube video on turning a USB Air Purifier into  a  $75 USB Killer:

My soldering skills are basically nonexistent so while I had some time off around the holidays I decided this would be a decent project to help improve them.
So in early December I ordered 3 of these from Amazon:
USB ionic Oxygen Bar Freshener Air Purifier ionizer For Laptop Black+White

These from GearBest would also work:
Rotating USB Style Air Cleaner – WHITE AND BLACK
A week or two after I ordered them this ChinaPost envelope showed up in my mailbox:  
I got my soldering station set up and was ready to go to work:
After snapping off the case the first thing your have to do is desolder the pigtail:


The next step is to solder a wire  to the resistor towards the bottom of the board:

You then solder the other end of wire to the data lead on the USB connector:

(Tip: You should probably use more than 24 awg wire.)

You now have a USB Killer to *not do* evil things with:
Disclaimer:  Dont be a JERK. This will fry motherboards.  Dont plug it into anything you are not ready to replace. 

Digital Ocean Slack Bot

I had a coach whose favorite quote was “Pain is the best teacher.”  and that was the first thing that popped into my head this morning when I realized that I had left an $80 a month  Digital Ocean Droplet  running for an extra 3 weeks after I got done using it.   To be honest $60 isn’t *that* painful but  it did prod me to write a slackbot that will post all my running droplets to slack once a day:
 

Here is how I set it up:

https://gist.github.com/jgamblin/83f7eb018d7953497e30802ed23e2041

  • Copy this line to your crontab to post a list of running droplets at 0800 everyday:
    00 08 * * * /path/to/dobot.sh
  • Enjoy not wasting money on abandoned cloud servers.

Making It Snow (In Your Terminal)

I am a huge fan of snow and hacky one line linux commands.   Thanks to some amazing people on twitter and a little too much free time at the end of the year they have both combined to bring snow to your terminal window just in time for your winter based holiday.
This command works on OSX out of the box:
for((I=0;J=--I;))do clear;for((D=LINES;S=++J**3%COLUMNS,--D;))do printf %*s.\\n $S;done;sleep .1;done

This command is a little longer and requires PV (sudo apt-get install pv) but looks amazing on Ubuntu:
yes $COLUMNS $LINES|pv -qL50|perl -ne'$|=1;($c,$r)=split;$s||=$"x($c*$r);print$s;$s=$"x$c.$s;substr$s,rand$c,1,"*";$s=substr$s,0,$c*$r+$c;' 

Site Footer