Opinion

now browsing by category

 

Technician – How the brain works

A problem. . .

An interesting chore came up for me, at work this week (primary job). I had opened a case with the support team about data not created properly on of our highly used CDNs. After confirming that this was the issue, the support guy at HQ, told me that this issue had been fixed.

Digging through all the information for a second and third time. . .

Digging through all the info again, just for follow-up, I found another repository that appeared to have the exact same issue as the first. Curios, I investigated a little bit more, and now that I had and knew what I needed, I could quickly identify this repo, as another problem. I notified the same support guy at HQ, that I had found another repo with the same issue, and he quickly confirmed the issue there.

This is the big question now, what do you do? Do you let sleeping dogs lie?

After working through this extremely annoying, and somewhat hard-to-find issue with HQ support, and everything, I thought, hey, I think it would be a good idea to ensure that content matches across our various CDNs, as that seems like something that is definitely a concern, for us, and for all our repos of data.

Why should I have to be the one, to recommend to everyone involved, hey, I found this issue, on two of our very large repos, let’s go ahead and do a little bit of research, and make sure this isn’t a problem elsewhere? Why is it only my brain that says, “Hey, we saw this issue in a couple other spots, that are pretty high availability, and in general potentially seen by a large amount of people, let’s go ahead and check the entire system to make sure all is a-ok.”

What’s the right answer?

Coming out of retirement ;-) – An observation into your job-life, as well as your personal life – The way to be

— OPINION PIECE —

An interesting thing has been popping up, in my life recently. In the never ending and ongoing debates we all see on Facebook, one argument piece that I’m seeing used way to much, is making its way down. Not only am I seeing this technique used on Facebook “debates”, but there is also an overwhelming amount of people that live their lives this way. So, not only does it apply to how you “debate” people on Facebook, but a lot of it applies to your everyday life.

Being a “Linux” guy, in a shop full of 30-year Unix veteran is the best way I can describe this. When you explain to a old-school linux guy, that they shouldn’t be stopping their computer system by using the “halt” command, anymore. Sure, an admin can still issue the halt command, but is it the right way to shutdown a linux system? No, no it isn’t.

Then why are you doing things this way. . .

A common thing I hear, again, in my everyday work-life, is, “It worked 25 years ago on an old Unix SysV, it’ll work now.”

You’re right, and you’re wrong. Yes, it once worked, 25 years ago, on your old Unix SysV, and it “sort of” works on modern linux systems. In the end, it would be better if you changed your “halt” ways, and started to make use of shutdown or to go even more modern, systemctl.

The same thing applies into how your approach your personal life, and your Facebook life. . .

The same argument I had about someone’s “work-life” also applies to what I see on Facebook, and social media in general. It is scary, for me to think, that someone wouldn’t approach stuff with an open mind.

In a community group on Facebook, someone posted a picture of merging due to road closure, and was looking for community understanding on how to handle this. Being informed, and relatively well-read on the subject, I noted on the post about the “Zipper” merge theory, on why it works, and when you should and shouldn’t use it.

This is where the “debate” started, and I’m not calling it as a debate, as there was no counter-points brought up in the discussion.

What does it take, for you to see a life-changing difference in the way you’re doing things?

After clearly laying out the discussion, the scientific methods and tests that were performed, why wouldn’t someone just look at it, and say, “You know what, I’m going to give this a try as I drive into work tomorrow.” But instead you say “Eh, baloney, I’m not readin’ no stinkin’ article, and your opinion and scientific facts you brought forward.”

That, in my mind, is where the disconnect happens, again, in personal life, like a Facebook conversation, or debate, or in real-life, at your job.

There are 2 types of people on this planet, those that want to learn new/better things, and those that don’t. . .

Don’t be stuck, thinking your old way of doing something is always the best. Try something new, and you might change the way you drive to work, or the way you shutdown a Linux system.

— End Opinion Piece —

Extra security, but not for security, but for “bots” _OR_ How I embraced the API and learned to love it

Oh Packt, Packt, Packt, why did you do it?

After troubleshooting a lot of issues that I was having with my login for Packt Publishing, I found something, that I found a little bit disturbing, and I would like to reach out to management at Packt Publishing just so that I can get an idea of why they did it.

But what did they do?

Packt recently added captcha’s to their website, in multiple locations to prevent automatic logins, scraping, and automated book downloads.

Why did they do it?

When a scenario like this occurs, there is usually 2 things happening. There is something happening that causes the owner of the website, and usually this means, the owner of the company, wants to prevent something from occurring.

On the other side, there is usually something happening at the user end, for this action to be occurring. Now, it can get tricky here, there are various reasons end-users or customers would use automation; that range from down right nefarious, to purely innocuous reasons.

On the nefarious side of things, a “bad guy” could be spamming forums, product reviews, and many other pieces of the website. I’d like to hear from Packt, to see if this was any sort of concern during the decision-making process to include captcha’s on their site.

On the innocuous side, there are people like me. I automate a login, and a form submission, so I can get Packt’s Free Learning Book of the Day. I also use a script, or a “bot” to download the books that I have either purchased, or acquired free from Packt, through their program, because doing that by hand, would literally take hours upon hours to complete, due to the mechanics of their website.

Irony

Ok, are you ready for it? This is where irony comes in. Packt sells multiple books (by multiple, I mean 30+) on automating tasks, or scripting, or literally on scraping websites using Python. Which is more-or-less what I’m doing.

Packt, please redeem yourself and become awesome at doing what you do

What does this mean? I think what I’m asking for, is Packt to remove the captcha’s from their website, open the site, as it was previously, to allow authenticated users to scrape the necessary info they are trying to get at, and embrace what their user’s or their customer’s want from them and their website.

Step 1

Remove the captcha’s from your website, or if you can somehow claim that they are for security reasons, put them in the exact spot, where you’re trying to stop the auto-posting bots; that is, move them from the login page, or from the Free Learning page, and move them to where the bots are potentially posting malicious information.

Step 2 (this is the whole extend part)

Make it _easier_ for users to get the data that they are after. Create an authenticated API to call up purchased books, and that they wish to download. Make it easier for users to — again, authenticate in — claim the Free Learning book of the day.

Extra Credit — The Challenge

What I want to see is a 3-month ledger on profits/costs, if this is implemented. I would be willing to bet, that profits would be up.

Packt, take the Open Organization challenge and open yourself up.

I’m going to attempt to contact someone at Packt to get these answers, and I will return later, in new posts, if Packt is kind enough to reach back to me, and answer those questions.

The myth of the cybersecurity skills shortage

Cyberseuciryt skills shortage

Source: ComputerWorld by Ira Winkler

Interesting article up for a read at ComputerWorld. Which all in all, is a good thing. The article talks of “The myth of the cybersecurity skills shortage” Winkler calls out companies that are claiming there is a cybersecurity skills shortage; which I don’t necessarily believe there is.

From the article at ComputerWorld:

The approach that seems to prevail these days — seeking a new hire who already has the right skills and experience or hiring them away from another organization — just doesn’t work. But it is why so many people believe there is a shortage of security professionals.

Mr. Winkler hit the nail on the head with this statement. I have a significant amount of security experience, I’ve worked for the government, large companies, medium companies, and small companies. I will generally do reasonably well at any interview question poised for me. The problem I’m seeing, is there are companies out there, that have beaten it into the head of their employees, that they are looking for someone that is an absolute master of skillset X, and disregard everything else. I, like many other security practitioners have my weaknesses; if I am slightly weaker in skillset X, then I am immediately assumed not a good fit for the job. 

The way I like to pursue jobs, is I aim for something I want to do, with a company I wouldn’t mind doing it for. Whether I have 100% strength on skillset X, or whether I’m slightly weaker at X, but extremely strong, at skillsets Y and Z; I will still apply, but a decent amount of time, I’ll get shot-down, due to the assumption, that because my skillset at X isn’t the greatest, I’ll never be able to catch up. This is where the fallacy in the argument lies. Company X, needs to look at candidate skills, and make their decision the ability of the candidate to learn skillset X (if skillset X is truly the reason for hiring). So again, there are areas where I’m slightly weaker, such as DLP. That doesn’t mean I don’t know what DLP is, or how it functions, but I’ve never sat in front of a host that does DLP and used it on a day to day basis. Does that mean I’m not right for any position at your organization due to the fact I’ve not been a DLP administrator?

Just something to think about. I always judge interview candidates on not just what they know, but what I think they will learn, and how strong of learners they are.

How broken is Malware Investigator?

Malware Investigator - Broken

I have been steadily using Malware Investigator since its public debut in early March of 2015.

I have grown more and more upset with the service over this time period, and in the end, I’ve realized its not providing me any more of a service, than what is being provided via cuckoo, virus total, or malwr. Furthermore, even with some of the early on problems faced by malwr, I still believe that malwr is more available than the Malware Investigator tool is.

Problems experienced using Malware Investigator:

1) Downtime – Their servers are often down outside normal business hours, and even down sometimes during business hours. Often times, the SAML authentication that occurs between the InfraGard website and Malware Investigator fails, or I get redirected to various error pages at Malware Investigator.

2) Processing Time – It often takes an insane amount of time to analyze my traffic. For the majority of the malware that I have submitted to their website, I would guess that the mean time to analyze is approaching a week and a half. I feel that they should have enough resources at their disposal to process malware faster than 1.5 weeks.

3) Correlations – This is the part that really got me excited to use Malware Investigator. However, it seems as if it is a little bit of a misnomer. I had thought, that it would allow me to compare the malware I find, and compare it to other malware used in higher profile breaches / incidents, and it would alert me to that (with a certain level of discretion of course, understanding different classification levels of information provided by the FBI). Unfortunately, correlations generally gives you the ability to see other usernames of people that have uploaded that same piece of malware.

4) General Brokenness –

a) My profile has become littered with malware that I never submitted. There are a number of .dll files littering my screen that has had analysis performed against it (supposedly), that I never submitted.

b) I can’t get the proper listing of malware that I submitted to the site, unless I happen to remember the name of the malware that I submitted. The general overview, where you should be able to browse all the malware you submitted, however, that is completely broken for me, and the only way to find the malware I submitted, is if I happen to remember the name of the malware that I submitted; so it seems the search process still works, however, the listing of malware doesn’t.

I will point out, the single feature I like at Malware Investigator, and the only reason I still use it. I use it to analyze all the linux, unix, mips, and other non-windows malware that I am able to collect. That is the single weakness of both malwr and VirusTotal, is that they will not, or maybe properly said, do not have the ability to analyze the various linux/unix/mips/whatever malware variants that I upload.

So, with all these problems I have experienced, I ask the question, “How broken is Malware Investigator?” And, “Is Malware Investigator broken beyond belief?”

Do you think that malwr and VT should start accepting, and being able to process linux malware, or does it represent such a low number of infections, that it would be going too far? Let me know, by posting a comment down below.

Please leave a comment, let me know if you use Malware Investigator, if you don’t, and why; I want to hear other peoples reaction to Malware Investigator.

40 year impact from OPM breach

OPM Breach

Source: FedScoop

Interesting article that states the impact of the OPM breach could cause an impact for the next 40 years.

I’m just going to say, after some conversations I’ve had with some people over this past weekend, I think the breach could last a whole lot longer than 40 years. In fact, I would go so far as saying that the damage caused by the breach, will never be repaired. Think of the long-lasting impact this will have on family members of those affected by the breach. If someone was able to pull up all the information, on say, your Grandpa, and was able to give you any/all information, you could ever want to know about him, wouldn’t that effect your trust with that person, and wouldn’t you be slightly more likely to release other information to him, as you see they already have a bunch of information? From an intelligence gathering operation, the amount of information contained in the SF-86 form, is crazy; there is so much information in the SF-86, it literally took me 3 days to fill out that form.

From the Article at FedScoop:

The theft of background investigation data on millions of federal employees and contractors has created a massive threat to U.S. national security that will last for decades and cost billions of dollars to monitor, current and former intelligence officials said.

The Office of Personnel Management announced last week that personal data on 21.5 million individuals was compromised by the hack of the agency’s background investigation database. That includes 19.7 million individuals that applied for a security clearance, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.

But while the focus continues to be on OPM’s efforts to fix vulnerabilities in the system used to manage background investigation data, known as Electronic Questionnaires for Investigations Processing (e-QIP), as well as the 30 day cybersecurity sprint ordered by the Office of Management and Budget, intelligence experts say there is little the agency can do to reverse the damage that has already been done.

Too Big to Care – Advance Fee Fraud

Advance Fee Fraud

Warning: So, this post might sound politically motivated to some, I assure you, I’m looking beyond the politics of the American way of life, and talking about people in general.

My wife went on a trip this past week, to visit her mother, and other family, up in Montana. When she got to her mom’s house, she had found out, that her mom shut off her phone due to an “advance fee fraud” scam that she had fallen victim to. It made me take a step back, and examine things from a new aspect.

My mother-in-law, who is not “well off”, lost well over $20,000.00 to scammers located in Jamaica. She was continuing to send them money and brand new phones, all so she could get the promised $1.25 million that they had promised her.

So, it all makes me think about the ethics of everyone involved in this scam. So, obviously, I’m going to say terrible things about the scammer, but what about everyone else involved?

I notified both MoneyGram and Western Union. I notified the state’s attorney general, I notified the FTC, I notified the IC3, I notified my mother-in-law’s bank. I also notified APS, as I think this is also a case of elder abuse. I’m reaching to the end of my abilities as far as notification procedures, of who I can contact.

I also registered an account on scamwarners, and read through other’s posts about similar types of scams, just to see what other people have to say about these scams.

All this stuff, which I had to go through, I thought about the ethics of everything involved, and in the end, it really makes my blood boil.

With the understanding, this this is fraud related, there is very little the government is going to do to help, via IC3/FTC/FBI/SS/NW3C. The companies involved, MoneyGram and Western Union don’t care, as they’ve collected their money already, the bank can’t legally keep my M-I-L away from her money.

It all makes me wonder, what can be done to prevent this kind of fraud?

After going through all this with my M-I-L, I immediately called my dad, and told him of this scam, how not to fall for it, and to contact me, if there is absolutely anything he ever questions. But beyond that, what can I do?

Review: Malware Investigator (iLEEP, FBI tool for investigating malware)

So, several months ago, I wrote about a tool that the FBI was going to make available for members of InfraGard, called Malware Investigator. This tool was set to provide members of law enforcement, and InfraGard to provide analysis on submitted malware. I said that I would provide a detailed write-up, regarding how useful the tool is, and how it helps me analyze found malware. I am happy to do that for you here; here is my review of Malware Investigator.

I submitted 3 malware samples, that I found via my SSH honeypot. Granted, these samples were compiled for execution on a MIPS based system, so all the other malware analysis tools proved to be relatively worthless, as most of them are only setup to run w32 (windows) binaries, and test the execution of that malware. I submitted these samples on 4/20, one at approx. 7:30 AM MDT, and the other two, later in the day, approx. 4:30 PM MDT.

As I am writing this post, on 4/23, at approx. 9:45 AM MDT, the analysis of all three files is still incomplete. To me, since these are sort of odd-ball files to submit (again, they are MIPS executables), I think a day is a reasonable amount of time to run the malware in a sandbox, and provide a report. However, at 3 days, and still going, I think this sort of analysis is taking far too long, for the service to be useful for malware hunters out there.

Depending on the output, and if it ever completes, I may, or may not provide a follow-up to this article, detailing how accurate the malware analysis at Malware Investigator was; it is something to write about.

The positive analysis of the files (just one included here) is that it does provide some initial decent details; however, what I’m really curious about, is attribution and correlation that the FBI provides me with (if any).

Read the rest of this page »

Review: Cyborg Hawk Linux 1.1

I downloaded a copy of Cyborg Hawk Linux 1.1 several weeks ago, and unfortunately didn’t get around to actually installing it, and using it until today.

My very first impressions were about how “beautiful” the desktop; but that is about where the beauty ends.

So, on to my use of it:

There are a bunch of tools on there, a bunch of tools that I’m not familiar with, and that aren’t in Kali Linux. I visit Cyborg Hawk Linux’s homepage, to read what documentation and tutorials they have on their website, and the pages they link to, are down (see here). There are several pages up in their “Documentation” section, so I peruse through there for a bit, not really finding the info I needed. I will come back later, to the tools I’m unfamiliar with, and put in the manual research time for those.

Launching tools that I’ve either used before, or actually have a pressing need to examine (I’ve got some malware samples, that I really want to take a look at), I try and launch Cuckoo, and it fails. I’m not extremely familiar with any of the other tools, but again, I will return to those, once I can read up on them, and learn how to use them.

Now headed off to tools, that I’m extremely familiar with, including metasploit. Launch the metasploit service, then attempt to update the modules, and it fails. Attempt to register the service, and it fails, and I’m therefore unable to update/use metasploit.

So far, in a couple hours of using, all this distro has going for it, is a pretty interface, and a lot of tools. As I mentioned earlier, I will dig into those tools, as soon as I have time to search, and lookup what each of them does. Overall, not very impressed with Cyborg Hawk Linux 1.1.

Excellent Support and Solutions

Nothing makes us happier than producing excellent support and solutions, whether it be through customers, online, or through open-source information exchange.

Today, I had a question, and I decided to fire-up a link to a very excellent resource at the StackExchange, more specifically, the SuperUser forums at StackExchange. After looking for the solution to my problem, and being unable to find it, I decided to log into my account, because it has been a little bit of time since I last visited the site. I was very interested to know, and open up a link to a previously asked question, and see very nice words spoken about a solution I provided an answer to.

This is what the user said about my response to a question:

I don’t care if you aren’t supposed to put “thanks” comments here, I just wanted to express my thanks and how much time and energy you saved me. Thank you so much! I’m using a company VPN to do some emergency work from a mall and could not get some of our sites working despite everything I thought of trying. I wouldn’t have been able to figure this out on my own, that’s for sure…

 

I have to admit, that receiving some feedback like that, from a user on a public forum was great to hear, and made me feel great about the support and solutions that I was able to provide. I’m very happy that the user found my comment and solutions useful, and I hope to make all my posts be as valuable as that single post was, to that user.