defense

, , , ,

Hacking Reno: WebApp Pentesting

, , , ,

Four days in Reno was cerebral overload. 

Attending the Wild West Hack’n Fest presented by Black Hills Information Security, I tried to squeeze as much data into the ole’ brain-box as possible. It’s a small box as far as brain-boxes go, so I’m pretty sure I tore something, and now my personal data is leaking out all over the place. 

The first night there I dreamed I was at a diner and the waitress asked me, “How would you like your brains: Compiled, compressed, encoded, hashed, or salted? When I woke up I discovered I had developed a stutter that lasted most of the day. 

By the time it was all over my brain felt like it had been in a pie-eating contest that never stopped. One of those last idiot-standing contests. Skull stuffed to near bursting and face a slaughter of smeared blueberry confusion. I wonder what drives me. This blog post is the inevitable regurgitation of that cerebral gluttony. 

This is part one of my sloppy attempt at summarizing the 4-day info feast.    

The Nugget Casino hosted the conference. The ringing bells and whirling whistles of the casino floor opened up my dopamine receptors as I walked through the door. The blinking and twirling lights aroused my limbic system which started pumping adrenaline into the mind-mix. My lower brain wasn’t sure if it was supposed to fight, flee, or poop. Casinos have to be one of the apex environments for social engineering. I felt a little like I was about to get on a rollercoaster. Kinda sick to my stomach, kinda excited, I realized the siren song of beer and slot machines were calling to me. I hovered a second or two before managing to gather my withering wits and turn my nose to the scent of nerd and find my flock.

I followed the odor of burnt neurons to the second floor where I heard the enigmatic chatter of cryptologists debating blockchain. My class was in a large conference room that could have fit a hundred people easily, but physically present only ten were seated in front of the giant screen displaying pdf slides of the inner workings of websites. I won’t pretend that I understood everything. In these classes, I often feel like a monkey punching buttons as fast as I can. All the time hoping for a banana that never comes. But at least I keep notes and hope with repetition comes familiarity and competency. 

The very first thing mentioned was situational awareness. 

Be still my sweet martial art heart. He had me at “situational”. I knew no matter how techie this got, the instructor was connected to a narrative I could follow. 

The instructor’s name: BB King. He provided a master’s class in more than just pentesting the delicate membranes between user-input and website interface. This was also, for me at least, a dissection of the complexity of language and its primordial underpinnings. It was a study in the history of technology and communication.

Let me say upfront, I was intimidated by the technical material. I was also very anxious about the travel after being in my Covid bubble for a year and change.  So as was wound uptight. BB’s presents helped melt that away. It felt ok to be in the deep end of the technical pool with BB as the intellectual lifeguard. 

I paraphrase liberally, but he said: One of the keys to mastery of cybersecurity (and life in general) is curiosity. The hunger to know how everything works offers unique leverage. As BB put it, all tools have uses beyond their original design. What can a tool do that it was not intended to do? Ask, what would MacGyver do? For this class, that meant testing the user input fields with a tad bit of sql injection, a dash of URL manipulation, and a smidge of fuzzing.

 BB set up a great VM with Juiceshop and Burpe. He walked us through developer tools in web browsers and the functionality of Burp’s tools to examine websites and by-pass WebApps. BB made multiple rounds around the room to check on each of us individually. He never seemed rushed by the fact that we were stuffing 24-hrs worth of information into 16-hrs. I just tried to keep up as we blew through a dozen labs picking apart the vulnerabilities inherent to the system.

Something that was super valuable was that the class broke down the Top 10 OWASP list into just 3 issues. Not 10 issues. 3 issues. Aside from 1) Malicious Input, there was only: 2) Insufficient Logging and Monitoring; and 3) Sensitive Data Exposure. 80% of attacks are some form of malicious input. The other portion of OWASP is basically people shooting themselves in the foot. 

Midst all that tech talk, BB had a couple of comments about bird songs and body language that really stuck with me. 

The sound of birds chirping, that sound we find lovely and melodic, it’s actually a bird’s warning to other birds. It’s a declaration of territory. I own this tree. This is my branch. Keep your distance. BB added, that the reason humans like the sound of bird songs so much is that the sound informed our ancestors that they were safe in the woods from predators. If the birds ever went silent, if the bird song stopped, then that was a very bad sign. It meant predators were near. Big ones.

The key takeaway: you don’t need to know the whole language to decode useful information. We had no idea that the bird song was a warning to other birds, but the lack of its pattern was a warning to us about nearby threats.

Another nugget BB shared: there are 21 culturally universal emotions that can be communicated with body language. Did he say body language? Totally speaking my language. This was when we were talking about encoding information and it made me wonder about the pros and cons of language. How easily things can be misconstrued or miscommunicated. Use the wrong word in the wrong context, things can get ugly quickly. It matters what you put into the system. 

Or simply put for defenders: Input Sanitization matters. 

The first rule of apps is that they are made for people to use. There must be an interaction between the person and a program. Requests are made. Responses occur. Anywhere a user can add information into the system, and possibly poison the ecosystem, that spot is a dangerous place to be short-sighted about security.

Imagine WebApp testing as a tiger sniffing out a good place to execute an ambush. Once the tiger knows where the animals go to get water (information crossing a boundary), they have discovered a vulnerability in both the environment and the prey’s behavior that can be exploited.

It’s now a matter of just watching and learning the patterns. Lying in the tall grass, hiding in wait for the bird song to return and all the little animals think it’s safe to come out again. Or maybe tigers aren’t the best analogy, but I do like tigers a lot. And if you’ve never read Tiger, you’re missing out. 

Anyway, in my case, it means to sit and practice hacking labs taking advantage of cross-user privacy invasion; client-side controls; faulty assumptions; unlinked items; directory indexing; insecure direct object references; and redirect filters. And that was just the beginning. Did I mention, I developed a muscle tick in my right eye? 

By the end of the 2nd day, the stutter was gone. But on the 3rd day, my right eye started randomly winking closed. I think that means my left brain wasn’t completely up and running just yet.

I grabbed coffee, kept my head down, and got ready for round 2. The final 2-days of lectures included: Red Team Automation, Gamification of MITRE ATT&CK, Cracking Cloud Security, Network Defense Modeling, and Offensive Deception. 

Ever read A Scanner Darkly? The protagonist is a detective hunting a drug dealer. Spoiler: the detective discovers he is the drug dealer. Or Fight Club, in which the unnamed protagonist discovers he alter ego is a cult leader of an anti-civilization urban-guerilla terrorist organization. That’s the feeling I was getting. I was two different people. A double agent moving between the good guy and the bad guy until there was no difference between the good and the bad just knowledge, tools, and leverage. It’s not ethics, it’s actions along a barrier. There is attack and defend the barrier.

Cyber is about controlling the flow and the mastery of the space between all things. Even the space and flow between the many minds that make up our minds (A Thousand Brains Theory).

, , , , ,

Cyber-Sorcerer-Ninja-Detective

, , , , ,

The world that is emerging from our electronic interactions needs a lot of patches. It’s growing and in need of constant adjustment, reconfiguration, and stabilization. For my part, this week was dedicated to learning how to hide, lure, track and trap bad guys for 4 days and a total of 16-hours of training on Active Defense and Cyber Deception with Black Hills Information Security. This was one of three courses they offer for the very affordable price of pay-what-you-can. Don’t let the generosity fool you. John Strand provides these courses as a mission. He believes we are all far behind in the cyber security game and there is lots of ground to make up. After 15 years as a SANs instructor, he has lots of value to offer. Plus, his energy is contagious. He does seem to truly be possessed with a desire for the greater common good we all share.


What did I learn? Illusions, traps, and other cyber-bending ninja-detective tricks. Unfortunately, a good cyber-sorcerer-ninja-detective never reveals the mechanics of their tricks (that’s not true, they don’t mind sharing at all). 


1st day was strategy and defining what active defense is and isn’t. It’s not waiting for the SIEM (monitoring system) to tell you something is wrong. The SIEM is designed to find threats that are known. We are looking for very sneaky people. They will find a new way in, something the SIEM can’t detect. 


The key to stopping the attacker is understanding the path of the prey. Where do they need to go? Know this and you know where to lay the traps that suck up their time. The illusions that lead them down the wrong rabbit hole to infinite nothing. And this may be the key takeaway. Make it a time suck to mess with you. Make it not worth the hassle to hustle ya. 


Show’em something pretty. Something they have to look at. Delay them, obfuscate the prize, and frustrate their basic efforts. Don’t be the low-hanging digital fruit, just dangling out on the internet waiting to be easily exploited. 


How do you slow them down? Honey, and lots of it. Your main weapon is a long list of honey: honey-pots, honey-servers, honey-networks, honey-users, honey-files, and yes Honey Badger! What are all these honey-techs? They’re big fake data burritos wrapped in alerts, stuffed with traps, and trackers. These techniques and tools draw the attacker into a fake world with sweet-looking data. A juicy-ripe text file with a bunch of sexy financial information and contacts that can’t be resisted. 


2nd day we talked about the legal issues that come with the territory. This is a whole new frontier as far as the law is concerned. Stand-out thought is how far behind the legal concepts of property and privacy are in relation to the digital dimensions of our lives. It’s an 8-bit paradigm trying to govern an Oculus world. It would do me some good to study up search and seizure law. The question to answer: when are you a detective and when are you the interloper violating someone’s rights? 

  Day 3, the slide reads “Don’t Get Shot!” and the class focuses on your safety as an investigator. As in, you may find yourself dealing with bad people. You might play a big part one day in locating said bad people and putting them in prison. Sometimes bad people hold grudges. You don’t want your name on anything bad people can reference. You want to be a ghost, a shadow warrior. That’s right, John added to my practical knowledge of how to make people disappear and attack from the shadows. Always happy to add a little more ninja to my bag of tricks.


Day 4, how far does defense go until it becomes offense? We learned techniques that trapped our network baddies in infinite loops that “inadvertently” shut down their systems. Is that wrong? Well, it’s complicated. How far is too far depends on your warrant and what 3-lettered agency is writing the check. But that’s the justice side. Maybe you’re not working for the government. What about private clients? What would you do for the cash? What wouldn’t you do for cash?


In some cases, your client might not be interested in taking any of this to court. As in, they aren’t concerned with the legality of your work and whether it might stand up in court. That’s when you have to decide for yourself what kind of InfoSec operator you are. Are you a mercenary, a kinda cyber-gun-for-hire? Or are you going to be an agent of justice? Or chaotic good and you just can’t help yourself because of some twisted extreme perceptions of fair and foul play? Or maybe your just smart enough not to get involved in clandestine cyber-pissing contests.  


It’s easy researching and studying security to get paranoid; to think that there is a never-ending wave of threats. And while that might be true, there are ways to limit vulnerability. For a business or an individual, it’s not that difficult to avoid being easy pickings. Remember you don’t have to be faster than the bear, just faster than the rest of the campers when the bear arrives.


My CompTIA Security + certification test is coming up in a few weeks. Time to buckle down and memorize an ocean of acronyms, hashes, ports, and protocols. But while that test is important, my mind will still be on the terrors of a Spider Trap and the devious capacities of Honey Badger. I look forward to building a digital hall of mirrors and digging cyber-tiger traps filled with my own assortment of deadly links. That’s right folks, two can play at the sneaky link game. Actually, we should all be learning how the game is played. 


After all, ya got be a cyber-sorcerer-detective-ninja to catch a cyber-sorcerer-ninja.


, , , ,

What Holds Us Together?

, , , ,

7 months ago I saw the world differently. 

When it came to technology, I was worried about all the wrong things. For example, is my phone listening to me? Yes. Absolutely it is. But in so many more ways other than just listening to your voice. To appropriately quote the Police, it measures “every step you take and every move you make.” Listening isn’t the issue. 

Whether or not my phone is listening to me isn’t even on my top 10 list of sci-fi-future fucked-up shit I worry about now. We live in a world with an electric heartbeat. Digital pulses and near-psychic interfaces link us instantly to each other. We are caught as much in the technological net as a fly is trapped by a web. But we are also as much on the web like the spider as caught like the fly. Complete and full immersion. Hunter and hunted. Most of us think the internet is an amusement park when it’s actually a hunting ground. IoT (Internet of Things) isn’t a luxury, it’s a hunter’s blind. And is it me or does anybody have a problem with the use of the word “Things”? “Things” sounds like the sequel to John Carpenters alien horror film (probably my favorite horror movie, ever).

Technology has made each of us more powerful and more vulnerable simultaneously. Any one of us with just a little training could create chaos with a few clicks of the keyboard. For instance, I spent last weekend on the Department of Homeland Security’s website taking classes on Infrastructure Control Systems and cyber security. ICS monitor and control systems that often require real-time info and are extremely sensitive to delay, systems in which shutdowns can be catastrophic. Think dams. Think power plants. Think runaway trains. Think nuclear centrifuges. Big stuff that needs to work really well or all the lights go off, shit explodes, glows and fragile ecosystems are destroyed.

After 6-hrs of videos and tests about the Vulnerabilities, the Risks, the Threats, the Methodologies, IT Mapping, and the Consequences of cyber security issues with ICS, I was not optimistic. Nope, I was more like, “Sweet Mother of Burning Circuits, we are in trouble!”  Don’t trust my hyperbole, check out the links below.

Water Plant Hack in Florida-Oh, Florida...

Hackers in Electric Grid-Yep, this is no joke. 

Easy Access Tools-It’s way too easy for the bad guys.

Or go read Sandworm.

But don’t worry, I got a plan to save the world.


Next up: Cyber-Sorcerer-Ninja-Detective