Monday, 21 December 2020

Russia and Hacking: The Question We Should be Asking

(The following is a personal opinion piece)

As of this writing there has been a ton of news articles about Russia hacking major American infrastructure and government agencies.  Not to mention top ten telecommunications providers along with a plethora of fortune 500 companies in the states.  This is massive. [1]

It is not an overnight task launching an attack as expansive as this.  No doubt about it, this was something long in the making.  In this article I am not going to go into depth about the attack, likely you are already aware of it and have read a technical analysis of the attack.  The attack raises an important question though:

Why Now?

If you spend any amount of time in the cyber security world you will know that nation state attacks have been going on for along time.  America to Russia, Russia to America, every once and awhile throw a little bit of China in their for flavour. etc. etc etc.

I am going on an assumption here that America and Russia have known for years that they have been resident in each others networks.  

Stay with me here.  We haven't boarded the one way train ride to crazy town just yet ;)

The digital space, the cyber-space. Is this wonderful, strange, for the most part unregulated entity that people from across the planet can access and reach out and touch one another.

It's a dangerous place where you can get hurt as well.  It is loaded with bad actors....and good actors.  For the most part cyber-space is held together by people(volunteers) with sound moral compasses keeping this digital world in check.  Currently the internet exists in this idyllic bubble where information is free and available.  It is this innocence that has paved the way for nations to try to volley for control. 

America birthed the internet and big players (Russia/China) have been playing catch up.  America has been a/the dominant controller of the internet since it's conception.

Indeed Russia and friends have been in a virtual race with America since the beginning *cough *cough *cold war.

So lets go back the the question: Why now?

They (R and A) know they are hacking each other, why is this news now?  Why is this public now?  What is happening in history right now that warrants it being released to the masses?

There are a couple pieces that need to be weighed here.  Was America truly caught with it's proverbial pants down?  Did they really not have any idea how bad it was?  Because if that is true, we should all be scared.  

There is a secret war for cyber-space waging every day. 

I think that we are living in a time where R and C are finally catching up to A.  

America has lost it's dominance in the cyber realm.  Or at least a portion of the pie.

The cause of why America lost it's dominance is a topic that is just to expansive for the scope of this article, even this blog.  Long story short though, it is hard for a house to stand when it's foundation is crumbling.

So Why Now?  The conspiratorial side of me is showing his face a bit here, but I don't think any of this was a accident.  I think that these hacks did happen.  I think that when it was revealed to the public it was no accident though.  What a curious coincidence that this news is revealed as Biden begins taking office.  Also take note that a few short days before this was published the Trump administrations closed the last remaining American consulates in Russia [2].

The fallout from the hack is something that people should be watching.

I know I will.

Always ask questions.

Andrew Campbell



Sunday, 13 December 2020

Top 10 Since the Beginning

 Hi All,

I thought it would be fun to start a tradition for my blog.  Sharing the top ten visited articles over the past year.  This blog was started in May 2020, so It has only been going for about 7ish months at this point, but I think Christmas time is a good time to start this.  Next year I will have 12 months to get data from.  I will be taking a writing break during Christmas and getting back to it January 11, 2021.

I included a blurb with each of the ten about how I came up with the idea for the particular article.

10. Route out IP Origin with Free Tools

I love python and getting the language to automate tasks for me is great.  I had been working on a python script that scraped a website for geolocations so that I could show my students in class.  In my research I stumbled across a few tools that did similar things.  Weird part about these tools is that they didn't all produce the same result!

9. Who Attacked Czechia in April 2020?

This was one of my favourite to write.  In Blogger you can see where people are accessing your site from (country).  At the time of writing this my blog was still fairly new.  Curiously, other than Canada, my largest fan base was Czechia.  I thought it would be fun to write an article geared towards them.  During my research I found out that two Czech hospitals (top covid research facilities) had been "hacked."  I dug deeper and it turns out there was strong evidence that the Russian hacker group APT 28 were behind the attack.  Also curious, that a few months after this attack Russia announced they had found the "cure" for Covid. Coincidence?

8. An Introduction DNS SinkHoles (Pi-Hole)

I love open source tools that are versatile and simple to setup.  Also it is extremely powerful.  A friend had pi-hole set up at his house and he was protecting his entire network.  I read up on it and decided it would be an awesome thing to include in my home environment.  My friend was using a raspberry pi, I decided to use a desktop server and virtualize the pihole.  Both solutions work!

7. Data Stealing: The Next Logical Step for Adblockers

One thing that is likely going to last for a long time is the fact that people will download things that look good but actually have nefarious purposes.  This article takes a look at the basic functionality of adblockers and how it is not a surprise that someone succumbed to the temptation to steal data with these "free" software packages.

6. Why are Guest Networks Important?

Attacks on wireless networks are happening all the time.  For a person who wants to circumvent network security you can be sure they have a reasonable idea of how port scanning works.  Combine that with the fact that generally people have terrible home network security, people's home networks are prime targets.

I have been preaching guest networks for years, I thought it would be fun to demonstrate visually the difference between the two.  I used port scanning to show what is visible on a guest network and a primary network.

5. How to Hide a Root User (activity) in Linux

I was part of a conversation with a student and we were talking about hiding users on systems.  We got talking about zero width characters and how they can mess things up.  In this blog I do a quick demo of how you can make two users on a linux system look exactly the same and really mess with your system logs!

4. The Good the Bad and the Proxy

This was very early blog.  I was engaged in a portscanning module at work and so the topic was on my mind.  This blog has routinely been getting hits week after week.  Thanks again!!

The topic for the blog surrounded the ethics of portscanning.

3. A Walking Tour of Calgary Internet Exchange Points

When I finished writing this one I honestly thought it would get my lowest number of hits.  I was surprised that it got so many visits.  Thanks!!!

I had recently taught a class where I mentioned IXPs and the students generally were unaware of the technology.  I did a little research about my city and learned that we actually have 6 IXPs.  Funny thing is I took my kids on a driving tour of these facilities and explained how the internet works.  I was pumped!  But it didn't really resonate with them.

2. "No Log" VPNs Not Safe for Much longer

This one has been popular as well.  I was doing research on VPN for a different article and during my research I saw an article about Pirate Bay.  Now I have mixed opinions on torrenting, which I won't get into here but the article regarding Pirate Bay was about some legal situations that the company was facing.  In the article the primary take away I got was that there is a risk that "No Log" VPNs may no longer exist in the future.

1. Bleedingtooth, Russians, and Penguins

This is a great one and I didn't write it!  This was a guest article written by a former student of mine.  He did great and it was a very interesting read!

Thanks Everyone!  More too come in January 2021

Andrew Campbell

Monday, 30 November 2020

How to Hide a Root User (activity) in Linux

The other day I was in a discussion regarding user accounts and zero width spaces.  We were talking about how it is possible to hide data inside of the zero width space because the space between characters is in itself a character as well.  That lead to the question could we hide characters in a user name?  Could a person create an account that to the naked eye looks like root but when the hidden characters are revealed the truth is that you have multiple "root" accounts.

What we learned was scary and should make every sys admin think about what they are reading in their logs.  If I am root and I see a task completed by root in a log, but I have no recollection of doing that task I should do some digging and make sure that I have no secret root accounts on my machine.

Normal Method of adding user.

In the above image we can see I added a user "testUser." This is the normal process with no bells or whistles.

I deleted testUser and added again but this time with root privileges observe the differences between a root user and a regular user (lines 3 and 6)

For comparison (above) I also show the existing root user.  Oopsie! I have two users with the same UID!

The next part is where the magic happens.  Using unicode I can create a user that looks exactly like another user but is different because I am using unicode for the special character of "Zero Width."  The extra unicode is enough information for the OS to differentiate that there are two users but to you and I we can't actually visibly see a difference.

Take a look at this picture below.

lines 1-2: I show current "testUser" on system

line 3: I add user like I did previously the only difference is (saddly you can't see it) but I add a zero width unicode character at the end (ctrl + shift + u -->200B)

lines 4-6: I show /etc/passwd file with the two users.  They look the same!! (FYI I technically have three accounts on my system with UID of 0 <--Bad)

In the next picture I switch to my zero width user.

So obviously if you are an admin and you have some automation set up to check /etc/passwd regularly then you will likely catch this.  Hopefully you have some OS hardening set up to prevent this from happening in the first place.  What the danger here is that I made a user that looks exactly like another user.  You can not visibly tell the difference between the two.  I could do what I want on this OS masquerading as a local user and the logs would all look legit.

Thanks everyone!

Andrew Campbell



Monday, 23 November 2020

A Tangible Example of Stateful Firewalls

If you spend any amount of time with FW you will encounter stateful FW.

The goal for this week's article is too shed some light on a stateful FW in action.  A simple demonstration will help those new to FW or those needing a quick refresher.

Before moving forward lets briefly talk about a tool that every IT professional uses.


The packet internet groper.  This little tool we use so much that we take it for granted.  Ping leverages ICMP and allows for me to send an ICMP packet to a target.  The power of ping is that with ICMP I van can evoke a response from a target.

I always pause here when I say this to students.

Because, think about it, a machine that was not anticipating a packet receives a random packet and then responds to it.

I usually demonstrate this concept by pinging a machine in Asia and observe the response. (I reside in Canada).

So there is the brief history on ping.  Keep this in mind as we continue on.

Above I am showing a simple network managed by a router.  On either side of the router I have separate LANs.  Static routing is already set up, so a machine in is able to ping a machine in and vice versa.

Above I am showing some rules on the OPT2 interface. These are outbound rules that say this:
- from .3.11 allow tcp/udp and connect to LAN machine 1.101 via port 3389
-block everything coming from OPT2 > LAN
- allow everything from OPT2 out (going to the internet)

Here .3.11 is attempting to ping .1.101.  As you can see the ping hangs and never makes it through.  Thanks FW!!

Here .1.101 is pinging .3.11 and we are getting a response.  I know this picture is boring but something awesome is happening.

Remember in previous picture that .3.11 could not send an ICMP Request packet?  From .1.101 however we saw that .3.11 did in fact send a ICMP reply, an ICMP packet!

This is where the magic of stateful FW comes into play.  In my FW configuration I am allowing all traffic from LAN to OPT2.  

All pings from LAN can get to OPT2.  My FW remembers communications (states) from LAN and because my FW is not stopping this transaction .3.11 is able to respond even though it has a FW that says nothing should go to LAN network.

Why is this useful?  Without this I would have to create separate rules for inbound and outbound.  Stateful FW takes care of this for me!

But don't get to comfy with the rules being "easy."  You have to be mindful of the communication relationship.  What packets are typically responses to certain packets?  If you are not vigilant to craft careful rules you could leave your network wide open for attack.

Thanks Everyone!
Andrew Campbell

Monday, 16 November 2020

Bleedingtooth, Russians, and Penguins

Hi Everyone,

This week I have partnered with with a colleague.  Josh Kozak wrote an awesome article.

Check out his LinkedIn profile:

Josh Kozak


Due to the limited desktop use of Linux I always forget that there indeed exists malware for Linux based systems. This coupled with the fact most distributions of Linux have adopted popular security tools like SELinux, FirewallD, UFW or Iptables baked right in for ease of use, it’s easy to feel safe and secure in a Linux environment. However, recently two reports came as a reminder to update kernels and detection rules.  One of course being a widespread Bluetooth vulnerability affecting the BlueZ library and the other being the NSA report detailing the Drovorub malware tool for Linux systems.


 Bleedingtooth was the name given to the Bluetooth vulnerability found by google security engineer Andy Nguyen, who then reported it to Intel. [1] It’s reported that the vulnerability affects BlueZ, which is the official Linux Bluetooth stack. Essentially Bleedingtooth allows an attacked within Bluetooth range to send a malicious l2cap packet to execute code with kernel privileges. While the attacker not only has to be within range but also the device must be set to discoverable within Bluetooth for the attackers to be successful.

Now while that may seem to be a very specific set of circumstances for the vulnerability to be taken advantage of, it’s important to remember that BlueZ is also found on most Linux based IoT devices. This would allow attackers to pick and choose their targets at leisure and through those devices gain access to even greater network bounties. Being IoT devices it would also be a safer bet that they may be missed on a sweep of system/kernel upgrades that occur and could be running kernel versions that are vulnerable.

Intel announced that upgrading your kernel to a version of 5.9 or higher will fix the vulnerability from existing. They also released various patches for kernels in case full kernel upgrades were not viable. 


 I find the NSA report detailing the Drovorub malware far more intriguing however, simply put it’s a full swiss army knife for Linux systems. The most interesting part itself comes from the fact it’s reported to have been created by APT28(military unit 26165 of the Russian General staff Main Intelligence) [2]. Drovorub itself is basically four different executable components: drovorub-server, drovorub-agent, drovorub-client, drovorub-kernel module.

The client gets installed on the targets system by the actor and then can receive commands from the server and offer file transfer to/from the system it’s installed upon. The client also gets packaged with the kernel module which provides a rootkit based stealth ability to hide the client and kernel module themselves. While the server and the agent are typically both installed on infrastructure that the attacker controls themselves. The server keeps a database store using MySQL for registration, authentication and tasking to the agent. The agent receives commands from the server and its purpose is to mainly upload and download files from the client and forward network traffic through port relays. [3]

To defend against the drovorub malware it is recommended to update the Linux kernel version to at least 3.7 or later. There are also rules for both network-based and host-based detection that are available from the report as well. The report also goes into memory analysis to help find any instances of the malware as well.

The fact that these tools are bundled together will make it easier for scripts to be written that could potentially lead to targeting of older production systems that may not be so assured to have working current backups. Also, when you look at where Linux is mostly being used (business/production servers, industrial PLCs and IoT devices) this leads one to think that originally these tools were most likely created for industrial or commercial espionage. Add to the fact that this all works for kernel versions much older than current would lead me to believe there are far more malware tools out there that are just as effective against newer Linux systems as well.

These two reports had me pause and check what I was doing with my Linux system on my laptop. I ran through a list of things from checking my kernel version to how my Bluetooth service launched and ran. I even realized that the install I had performed hadn’t really been configured with a firewall even. So, no matter how secure your castle feels, it’s always a good idea to go out and check for cracks in the foundation.

Monday, 9 November 2020

Data Stealing: The Next Logical Step for Adblockers

 Depending on what side of the fence you are on you either love AdBlockers or you hate them.  Content creators and such hate AdBlockers.  Their dislike for this software is justifiable, they depend on the revenue that comes from clicks.  As a regular user of the internet though it can be quite jarring too see all the adds on a website, or be watching an interesting video and then you are subjected to a 3 min video about a new truck.

Even popular services like Twitch are working to combat AdBlockers [2].

I personally have been using adblockers and utilities like Pi-hole for so long that when I see a Youtube add I actually have to pause for second because it has been so long since I have seen an add.  I literally kind of forget that adds are a thing.

Recently though it has been discovered that some adblockers were actually be used to steal data [1].

In this blog I'm going to dive into how AdBlockers tempt folks to steal data.

I'm surprised we haven't heard about data being stolen from AdBlockers sooner honestly.  If you think about it, from a high level, AdBlockers act as middle men between your communication from your browser and the website.  When aAdblocker detects a script that smells like an add it stops the script from running.  So why am I not surprised AdBlockers are being used maliciously?  Well if the software is going through the work of detecting "add" scripts, why not go the extra step of tracking user data?  

Data = $

Maybe it is my google bubble but most of the research links that came up revolved around how to circumvent adblockers.  Even more evidence that people are invested in getting around your browser plugins.

I did find an interesting article describing a technique [3] that web developers use to detect if you are using an ad blocker.  To summarize the article you plant a dummy javascript on your site and if the script is triggered by an adblocker it will fire up an alert.  This is likely the method that is in play when you are moving around the internet and you get a window that comes up "Hey why are you using adblocker?! We need money too!!"


The most popular way to get adds on your website fast is using Google Adsense.  If your website is in compliance with the rules that Google has set, then you are allowed to begin participating in the program.  Above is an example of adsense code that is inserted into your website.

This code isn't particularly complicated.

It's a script that exists somewhere in your website code and when visitors land on your page they will be presented with the add that is linked in the script.

Adblockers work in a similar way in that they are in themselves a script that analyzes the website code(similar to how webscrapers work).  The script looks to see if particular patterns are met and then prevents that script from running.

That brings me to the whole point of this article.  If an adblocker is already set up as a middle man analyzing a website before you land on it, wouldn't it be a simple step to add another line of code that sends page stats that you are on to a server somewhere else?

Imagine if 300,000 people are using your adblocker.  You are a smart coder with gumption and you understand that data has value.  300,000 regular users is nothing to turn your nose up at.  A person could sell that data.  The temptation is real.  From a monetary standpoint I can see why people would do it.  From an ethical standpoint I think it is flat out wrong.

What can you do?

Well honestly, read.

Often the best strategy to understanding the security of software is to read about it before you install it.

- Are there reviews?

- Do reviews trigger any ethical red flags for you?

- Is the developer up front about what and how they are using your data?

- Or......stop being an early adopter (I feel like I could write a whole article about early adopters).  The benefit of waiting a bit is that you can read reviews and see what people say.  Why do those tests on on your own systems when you can let other people do the work for you?

- Run apps you want to test in a virtual environment

Educate yourself on the applications you are using because nothing is free.  That free app you downloaded is getting paid somehow, likely by selling your data.






Thursday, 5 November 2020

Network Security - A Calgary ISP (Critical Analysis)

The other day I came home and I saw a pamphlet in my mailbox.  It was a local ISP tempting me to purchase their services over my current provider.  (this article is by no means meant to be slanderous towards an ISP in my area.  It is meant as a critical analysis of a provided service).

You should know that I truly don't care who my ISP is.  I take care of the network security at my home.

This provider, who so kindly left their info in my mailbox was offering $6/mo for additional security services.

Here I am, a person mindful of cybersecurity, I was left wondering, what can $6 do for me that I can't take care of myself?  Or is this just a ruse to dupe folks into signing up for internet packages?

I'm conducting this analysis in a different way, I'm going to write my thoughts down as I read about their $6 additional security.  I think it will be a fun experiment, maybe my view point will change by the end!?  As of this writing, I know nothing about what comes with the $6 or why anyone should buy it. I will be tongue in cheek.  You have been warned ;)

Let's dive in.

You may have figured it out by now but yes it is Shaw. A quick look at their website and I have a few questions.

Right away we are given a generic statement.

"Attackers use several methods to steal your files, information and identity, or even attempt to takeover your device. Network Security helps defend your network and devices from these threats." 

It goes on to list "Ransomware" "Hacks" "IOT".

Save me from the Hacks please!!!

Further down in order to get more info you need to be a customer, however I was able to get this.

"For just $6/mo44, get comprehensive cyber security for your home network and protection for up to 10 devices44 with McAfee® Multi Access."

I think people may have split opinions on McAfee.  I tend to view anything related to this company with trepidation.

 McAfee Multi Access boasts the following:

1. Anti-Malware

2. Anti-Virus

3. App Protection (I actually find this kind of advertising frustrating, what does that even mean? App Protection?)

4. ....and a whole suite of Security tools!

At this point there is no more information on the website. I have to start digging in other piles now.

I found a link that explains a bit more about Multi Access. [3]

There is a video on the link and it explains that "If you are at coffee shop you are quite vulnerable."  This is true and MA apparently can detect if someone is trying to "hack" you.  Not much details on how though.

 The video further goes onto explain that you can track, lock and wipe remote devices.  This is actually a very useful tool.  Having control of MDM for your own devices is a nice security feature.

A single license directly from McAfee will protect up to 5 devices, with this ISP you get 10.  Do you have 10 phones/tablets at home?

According to the site you get alerts if a website is "suspicious." However with a small amount of education you can be able to catch these sites yourself.  Also there are many browser plugins that can do this work for you, and honestly probably do a better job at it.

App protection.  As you read earlier I was confused by what this means I found a video that explains it [4].

Basically, when you download an app MA will do a scan and give you a risk rating on it.  At this time it will give you an option to delete it if you want.  Some would say that if an app was built with malicious intention, the damage is already likely done by just downloading it.  So this feature might just be making people feel good about "catching" a bad app.


I wish that this ISP was more up front about what comes with the $6 fee.  Its peanuts in the long run, but their primary sales website is so broad that I feel like it was obvious that their target market are folks who are unaware of general cybersecurity. 

The primary site talks about "..many other security tools!"  I could not easily find any info on what these tools are.  Are there actual tools?  I am skeptical.

MA is geared more towards your mobile devices, tablets and phones.  It doesn't seem to be a great fit for desktops/laptops.  My opinion on this is based solely on the fact that most of MA's features are focused on phones.  You can track, set off an alarm on the phone, take a picture of whomever has stolen it and finally you can wipe the device.

If wiping a stolen phone is your primary reason for wanting this service then I guess it is not a bad option because the other features are not really worth it honestly.

There are open source tools that you can add to your systems that will help protect you as you browse.  Also if you have any ounce of security awareness then you can probably come to the conclusion that all of the "features" they are offering you can easily be taken care of by yourself.

So MA is a decent tool for users who have limited security awareness but for those who are cognizant of security you can easily protect your environment with out paying extra for MA.






Monday, 19 October 2020

Why are Guest Networks Important?

Confession time.  I love port scanning, I scan my own network and I will scan other networks when asked too.  There is so much valuable information to be gathered from scanning.  What I especially love about port scanning is the information you can glean from data that is not necessarily visible right away but you can assume is present based on evidence.

I often preach isolated networks as a baseline security measure for people personally and for their small businesses.  For my own home network I have a what is commonly referred to as a "Guest" network.  Setting up a guest network is a quite simple task to do.  Most home routers have this functionality built in.  I wanted to visualize a guest network for you today!

Here are two images that should cause us to pause.

First image is of a guest network.  I am sending an empty, non-recursive host-discovery packet with the SYN flag set.  This is a basic command that can be run to figure out who is on the network.  As you can see it returned very little, the devices were the router, the local machine and another device.

In the second image I am on my primary network.  For visualization I have a bunch of devices on there.  On my primary network I have my server, my primary desktop, my cell phone etc.  I ran the command from the first image and it returned a ton of info.  For the picture I used a simple ping scan -sP, which is basically saying "Who's there? Great! NEXT HOST!!"

So why should we reflect on these two images.  Well on my network I actually have a lot of devices.  However I don't want people visiting me to be able to access or discover my machines.  I have designed my home lab with specific purposes, many of them are security based and I don't need people muddling around where they shouldn't be.

Now imagine this was your business and you didn't have a guest network.

Someone in your waiting room could potentially discover all your severs, the OS, the versions of services.  They can conduct in-depth recon on assets present on the network.  

Hopefully you are cringing at the thought of this.

The images I have included are of a basic guest network.  However many routers come with additional security features like preventing host discovery, password authentication etc.

Give people what they need not what they want.


Andrew Campbell

Tuesday, 13 October 2020

Virtual Siege Warfare - Part 1

We have been fighting each other for a very long time.  Curiously the tactics by which we fight each other have not changed much.  The tactics are the same but the battlefield is different.

It is no mystery that Ad Revenue is a big deal.  People's entire livelihood depends on web traffic and people clicking on ads and collecting a small percentage of $ from an advertiser.  

This topic is going to be broken into multiple pieces.  As a I read and research I am learning a lot.  There is too much to slam into one article.

Let's look back to when we were holding spears and firing arrows.  Imagine you are an attacking army and you attempting to take a castle.  As an attacker who has supplies being sent to the front, your military leaders have planned for the long haul.  

Your ultimate goal is to take the castle, or destroy it.

Wouldn't it be nice if we could do damage without actually launching a full on attack?  That is where the beginning of siege warfare comes into play.  As the attacker I will surround the castle and prevent resources from getting to the people inside the castle.

Given some time the people will run out of food, their stash of armaments will be depleted.  Morale will be down, and they will be hungry and tired.  From a tactical standpoint this is perfect, my enemy is weak.

Maybe they will surrender or perhaps now is the perfect time to launch my attack.

Now keep this in mind as we travel to modern times.

You own and operate a virtual shop that sells niche shoes.  You have a competitor who has come into the market who is selling a very similar niche shoe.  They are cutting into your business and your revenue is down.  Both of you rely on sales but also people visiting and clicking on ads.

As an angry shoe monger, I want to stop them from tapping in to my sweet sweet shoe revenue.

Adsense and others use website traffic and combinations of analytics to determine eligibility to participate in their ad programs.  It is possible to destroy that source of revenue.  It can happen by accident, unintentionally breaking something in the terms and conditions, but can be directed at a target maliciously.

How is it done?

Put quite simply if a ton of the "wrong" traffic lands on a site, you run the risk of your ad revenue being discontinued.

Whomever(ad programme) you are working with may determine that you are attempting to commit ad fraud(fake clicks, fake visits etc) to grab more money from advertisers.

This happens a lot.

At this point I feel pretty comfortable with scraping.  I like being able to automate the retrieval of data from the web.  During my studying I have learned some techniques to evade common scraping prevention strategies.

As part one of the Siege discussion I wanted to highlight the technique spoofing user-agents.

What is a user-agent? [4]

"The User-Agent request header is a characteristic string that lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent."

When you spoof a user-agent you are telling the server that you are someone you are not.  

Why does this matter?

It matters because when I make a request of a webserver my HTTP header tells the server who I am, that webserver then decides if it will accept me or not.

Web servers can say "NO."  Maybe you are surfing the web with an outdated browser? maybe you are surfing from a geo-restricted location?  Or maybe you are clearly making scraping requests using python!

*Ominous Music !DUN DUN DUN!

It is common for developers to block headers that contain references to requests used by python bots.  Here is an simple bot(submits a request and retrieves the header information).

and the output

As you can see the user agent clearly states that I am using "python-requests."  If I want to block some bots from accessing my site I can specifically block this.

But I am a crafty scraper and I want to access your site regardless.  So I spoof the user-agent.

Below we see a script that rotates user-agent strings and sends requests to a webserver. (I have intentionally cropped the strings.  If you want the strings just give it a quick google :) )

And then the output

Closer look

My User-Agent has been obfuscated!

From a scraping viewpoint this is extremely valuable. From a malicious actor this also has merit.  If I can pretend to be someone different every time I access my target's website there is a chance that I can confuse the target's visit tracking system.

What are the next steps?

(Future posts are going to include the following)

Well, aspects I want to add too the script:

- build in proxies

- build in country selection that pairs common user-agents with country specific proxy

- build in sessions

- build in mouse movements

- add random timing for sessions


Stay tuned for future parts to this discussion!








Monday, 5 October 2020

A Walking Tour of Calgary Internet Exchange Points

 We often talk about our ISPs (Internet Service Providers) with varying degrees of like and contempt.  Your ISP is just the downstream from the source though. 

Imagine Telus(Canadian telecom company) as a gas station where you go to fill up your phone with data when it runs out.  Or maybe that they keep your data fuel running to your house so you can binge Netflix documentaries.

A gas station doesn't make the fuel for the car, it sells it to you.  They buy it from the companies that pull the bitumen out of the ground and refine it into something useful.

However there is a part of the internet process that most people are not aware of.  Internet Exchange Points.  They exist as this hub where ISPs can connect too and provide internet to all their customers.  You could if you want, infrastructure depending, connect directly to the IXP and skip the ISP altogether.  Most people don't have the start up funds to get this kind of connection set up.

So I wanted to take you on a walking tour of the IXPs located in Calgary.  In the picture below you can see the locations of our IXPs. Let's start top left and work our way too the bottom right.

(Full disclosure I am using data gathered from this resource as my primary source)

1. Cybera Suite 2003512 - 33 St NW

Located very close to the UofC and a stones throw from Crowchild trail we have Cybera.  It is at this location that we have the IXP -->YEGIX

2. 1313 10th Ave SW



Rogers has a peering datacentre here. Rogers DC2.

Across from Community foods on 10ave SW lies our next IXP located in Calgary!



3. 840 7th Avenue SW

Our next IXP is located in a building right beside the Sandman hotel on 7th ave and 8st.  For those who have ever taken a train downtown know the corner of 7th and 8th st well.  You know the one, Macs used to be there.

 follow this link here to get a general layout of office spaces in this building.

4. 800 Macleod Trail SE

Recognize this building? You should, it is the Calgary Municipal Building.


5. 7007 54th St SE

 Just across the street from the Calgary Soccer Centre.  We have our next IXP.

6. 5300 86 Ave SE

Located in the same building as Q9 networks we have our final IXP.  Which as it turns out is just north of a Enmax South office location.





Monday, 28 September 2020

Risks of Surfing the Web: When a Nation says "NO!"

Communications censorship is not a new thing.  It has been happening as long as people were able to grunt out rudimentary messages to one another.  like everything else as humans evolve so does our technology.  So that begs the question, how does one get around that?  I have talked about proxies in this blog before, I will be mentioning it again in other posts.  However what I want to focus on is how can people circumvent censorship when an entire nation is blocking them?

The internet is this fascinating universe where people can reach out and connect with one another.  We can chat with friends and family around the world.  Better yet, especially for the researcher in me, I can reach out and touch machines on the other side of the planet.  If I wanted I could send an ICMP packet to a printer sitting on someone's desk in Vietnam and have it talk back to me.  That is the power of cyberspace.  

The internet is also like the Wild West where people and nation states are making plays all the time time.  There are so many connections that it is easy to see why nations are vying for power in this realm.  Power and control exist in many forms, one of those forms being the control of information and access to information.  

Introducing censorship!

There are a few big offenders when it comes to mass censorship of the internet.  Take a look at the picture below (the darker the shade the worse the censorship.[10]

How is Censorship enforced?[9] [4] 

There are a few methods that can be in play.

- DNS Filtering - This one is popular

- Packet Filtering

- IP Address Blocking

- URL Filtering

- Removing pages from search engine results

- Resetting network connections

- Disconnecting the network

How to beat Censorship [5]

The question now is how can I come out and experience the freedom from censorship when my government is blocking and redirecting me.  Well it is as simple as this.

1. VPN

ExpressVPN [6] is considered the best well-rounded VPN service for Russians (for example, although I suspect that the websites that state this were paid to say so...).

 But really it doesn't matter what VPN service you use, it's effective to encrypt your traffic.

 2. Onion Routing

Most people who are reading this blog have heard of tor network.  Follow this link

if you find your tor is blocked.

Also access this PDF on how to use tor to circumvent censorship. [8]


For those who have read this far you are probably thinking "Ya, I know that already VPN and Tor!  Thanks for the click-bait."

Hold your horses I say!

Yes the above two options can help beat censorship but they are not full-proof.  I could restrict VPN servers/protocols in my country, or I could monitor known exit nodes on the tor network.  There, I have just debunked these two methods.

Furthermore lets talk about how easy censorship really is.

DNS is critical to online communications.  It is a hub of activity and redirection.  Every communication we submit via the internet, most likely is hitting a DNS server first.  At a high level DNS allows for convenience so that we don't have to memorize IP addresses.  What this also does is create a bottle neck for data flow. [11] .  Most censorship targets DNS resolvers.  It is true that there are thousands and thousands of DNS servers one could connect too, but you still have to get too that that resolver.

It is kind of like if I wanted to buy a loaf of bread from my local grocer "TASTY FOODS".  In a normal scenario I leave my house get in my car, drive to TASTY FOODS, buy my bread and return home.  

Under censorship: I leave my house, there is a person standing outside my front door, I move to go to my car.  the person says "Are you going to TASTY FOODS? I tell them yes.  The person then states, actually sir all bread must be bought from "SUPER BETTER FOR YOU FOODS" please get in this bus with all these other people and we will escort you to where you can get the bread we want you to eat.

This all may sound glib, but if the ISP (Internet Service Provider) and the IXP (Internet Exchange Provider) are under government control....and that government wants to restrict it's residents access to the internet then they can do it and it is not that hard.

Surf Safe friends

Andrew Campbell











Monday, 21 September 2020

An Introduction DNS SinkHoles (Pi-Hole)


 I wanted to showcase an awesome lightweight tool that can be used in businesses and in your personal home.

Pi-Hole is a DNS sinkhole.  When set up correctly (and it is dirt easy) all your traffic in/out is filtered, and removes a large portion of garbage adds and various known content that can be harmful to your internal hosts.

I set up my Pi-Hole and had it working with default settings within minutes and had it running for 24 hours.  The picture above shows the results of normal traffic across the network.  

I was pleasantly surprised at how simple the set up was.  Also the fact that the software comes pre packaged with a massive blocklist to begin filtering content immediately.

There are loads of features to enable in this solution and is relevant to not just to home filtering but also to the business environment.

Maybe you don't want your staff spending time accessing streaming videos for hours on end, easily add domains to the "blacklist" and the traffic will be stopped in it's tracks.

You can direct traffic to your sinkhole on each individual machine but an even better solution is to set up Pi-Hole as a solution where all your devices point to it as the default DNS resolver of choice.  Using this scenario you can force all devices on the network to resolve with Pi-Hole first before going out to the internet.

I want to share a bit of how I am utilizing the tool in my home/lab environment.

In my lab I have a desktop server.  On that server I run a virtualized 2020 ubuntu server set to bridged.  I have Pi-Hole installed on the virtual Ubuntu server.  With my bridged Ubuntu server I can now direct traffic to the IP where Pi-Hole is installed.  If I wanted to set Pi-Hole as DNS resolver on each device I could do so at this point, however I don't want to do that much work.  Also I want Pi-Hole to be the defacto DNS server on my network so that any guests that visit me and ask to use my network will have their traffic filtered and I would be mitigating(to a degree) the risk of someone bringing ransomware etc. into my home network.

So in order to do this I need to tell my router that before users exit my network and access the internet they need to resolve with my Pi-Hole first.  This is simple enough and you can find very good instructions at  Every router is different though so you would need to access your router and do some trouble shooting.

I noticed an impact immediately.  Right away I could tell things were cleaner while accessing my browser.  The part that amazed me the most was the sheer quantity of queries that were blocked that I was not aware of.  Tons of analytics, trackers, ads, redirects etc.  Things we just wouldn't think about, which is kind of the point of them existing.

Also an extremely useful aspect of Pi-Hole is that is leans itself well to network analytics.  Which sites are blocked the most? which device on the network is sending the most blocked queries?  Why is a certain device making queries in the middle of the night when everyone is asleep? So on and so on.  The in depth ability to monitor and analyze logs allowed me to gain a better idea of what is happening in my network.  

I learned some fascinating things right away.

example 1: My wife's fitbit makes internet queries every 20 min even throughout the night (it was blocked and her watch was no longer synced with her phone[she wasn't happy......I fixed it though!]).

example 2: My primary desktop (Ubuntu 2020) whenever I access Office 365 in browser suddenly literally hundreds of ubuntu-connectivity-checks begin occurring.  (this one is weird.  Ubuntu?)

example 3: Things like DisneyPlus and Amazon Prime video stop working, which makes sense because you are blocking ads.  (It's an easy fix in Pi-Hole, find the blocked query and add it to the "whitelist")

Aside from the ability to block/allow content and the ease of analytics there are a couple hidden benefits of utilizing Pi-Hole.

1) Internet traffic can be faster, potentially.

- what! no way! Yes it is true! Pi-Hole uses a cache to keep traffic of regular visits.  If users are accessing data regularly it will give the user the cached content instead of the user having to go and retrieve it from the website.  Your users may not notice this, but you as the sysadmin can know that you have done your bit to make your network more efficient.  FYI you can view analytics on this as well ;)

2)Mitigation of risks at Intrusion and Exploitation layers of Cyber Kill Chain:

Depending how you have been attacked or whether the security incident is purely accidental you will be mitigating some risks.  If we are blocking users from accessing certain things or stripping away some of the opportunity for accidental click-jacking attempts we are doing our part to mitigate risk.  Also useful for threat hunting; Who is doing what on my network? what activity is happening? what is the most blocked content/trackers/ads etc. (tracking and tagging)

Is the solution full-proof? No, a resourceful user could potentially circumvent your carefully crafted security solution.  But it will do something and should greatly resolve potential issues for the average user on your network. 

I can't speak highly enough about this tool. it works beautifully in my home/lab network and I think there is a business case for incorporating this(DNS sinkholes) into an SMB and maybe areas of Enterprise business.

Andrew Campbell

Monday, 14 September 2020

Fingerprinting with Ports (Minecraft Edition)

  So I was doing research the other day gathering some information that I could share with my students and I stumbled upon a random machine (I was using a technique mentioned previously here).  I found a machine that was very clearly also being used for Minecraft.  As I was thinking about how easily I found this machine I began to wonder if I could make it even easier with python.

I know folks who have hosted a Minecraft server (Bukkit) in the past.  They followed the instructions on the website and various forums.  They port forwarded on 25565 and they distributed their external IP address.  I think back now to those friends and realize the world of hurt they were inviting into their lives.  That's the past! Things are different now!


The recommendations are still pretty simple to set up a Minecraft server and unless you are mindful about how people are connecting into your network you will likely be using default settings.

So I created an experiment.  It is small in scope but can be extrapolated to other areas simply enough.

Using port scanning and python I wanted to be able to fingerprint a machine's purpose based on it's ports.  I don't want services.  I don't want OS'.  All I want is the ability to have an automated process where by I can, within a reasonable margin of error, make a guess at what the machines primary purpose is.

So for example on the internet ("clear-net") there are tons of firewalls.  Which is fine, but what if I get a machine with some obscure ports open?  What could it be?

So as it turns out it is actually possible with python.  For our purposes I went with Minecraft and I scaled back a lot to present a proof of concept.


With python, check an IP address if it has port 25565 accepting tcp connections.  I don't fully care if it is a Minecraft machine or not.  What I care to find out is if this machine is worth digging into any deeper.

in addition, I wanted to use my list of scraped vulnerable IP addresses to see which of these potentially doubled as a Minecraft machine.

Above you will see my short python script.  Essentially what is happening in the script is that I:

1. import nmap module

2. open file fed to script from terminal

3. strip out the newline from every list element and then I begin feeding the IPs to the scanner.  If the there is a tcp connection on port 25565 append to list called "pc"

My results were staggering.

my list of vulnerable IPs currently stands at 13927. 

Of this list of known compromised IP addresses a whopping 7299 were found to have a port 25565 accepting TCP connections.  

That is 54%!!!!!!

So to be clear, did I go though and do a follow up scan to verify that each of these machines had a minecraft service running on this port.  No.  However port 25565 is an obscure enough port number that one can make a educated guess.  Also I did do a random test on a healthy number of these machines to see if they had a Minecraft service on it.....They all did!

In conclusion, this experiment was small in scope.  I was only looking for the results from 1 port.  However it is conceivable that if we add more ports to the list and develop a profile off of that collection of ports one could quickly fingerprint a machine to fish out of it what it's primary purpose or role is.

Thanks hope you enjoyed!

Andrew Campbell



Tuesday, 8 September 2020

An nmap Buddy Script (Where in the World?)

 I briefly highlighted a script I wrote previously in my post Route out IP Locations: Free Tools  , however I am bringing it back!!

Why? Well honestly because I think that when you are performing recon on a target why wouldn't we want more data?  I modified the script from the previous blog so that it takes input from the terminal and quickly provides you the geolocation of the IP you are scanning.

*IP intentionally obfuscated

lat and long, throw it into Google and you will get a map right away.




Maybe you don't want to be poking around in China (make sure you are using proxies if you are doing deeper recon)

Typically when doing recon you should be obfuscating/hiding your location entirely.  A nice feature of this script is that it utilizes scraping.  This means that you yourself are not probing your target, you are getting someone else to do it and then just reaping the gathered information.

Also understanding the geolocation of target is extremely useful.  

- What is the political climate in that region?

- Are they a nation state known for cyber-agression?

- Are they a small player in the cyber-world?

All of this information is useful for developing a grounded view of your target.  when it comes to cyber-security all data is valuable and helps for the big picture.

Monday, 31 August 2020

Who Attacked Czechia in April 2020?

On Friday April 17th, 2020 the Brno University Hospital in the Czech Rebpublic experienced a massive cyber attack.  Between the hours of 5am and 8am "something" occurred on their network.  The "something" was bad enough that the entire network had to be shut down.  Officials working with the Czechian government attempted to "recover" the data loss.  

Immediately when I hear "data recovery," I can assume that data was destroyed.  Also when an entire network is shut down, the incident implies that the malware was spreading.  With these two pieces of information I am going to make the leap and say that the Brno University Hospital had ransomware.

It's a safe assumption.

The news was big enough to make it to the western hemisphere as well [8].  Mike Pompeo wagged his finger at the screen saying:

“We call upon the actor in question to refrain from carrying out disruptive malicious cyber activity against the Czech Republic’s healthcare system or similar infrastructure elsewhere,”

and further.

“The United States has zero tolerance for malicious cyber activity designed to undermine U.S. and international partners’ efforts to protect, assist, and inform the public during this global pandemic...expect serious consequences."

My curiosity revolves around who-dun-it.  Brno University Hospital is the biggest institute in the city of Brno that was doing Covid-19 tests.  So it was a big target.  A spokesperson for the hospital said that they encounter cyber attacks of this nature regularly and has defended against all of them[4].  Which is what a good face for the company should say.  However the flip side of the coin would mean that something was different this time.  If these had been blocked before, what's different?

This attack had even been flagged a few days prior by Czechia's National Cyber and Information Security Information Agency (NUKIB) stating that infrastructure was "at risk."

Coincidentally, another hospital in Czechia experienced strange activity a few days before.  They reported elevated levels of scans occurring at their network.  They were smart and made back-ups immediately. [4]

NUKIB stated that a "serious and advanced adversary" was responsible.  It kind of blows my mind that NUKIB would say this.  The nations cyber-security agency publicly said that an advanced adversary was responsible.  I don't think any government agency in our world would make this statement lightly.

The United states knew almost immediately that the Czech Rebublic health, "and other" [8] infrastructure was at risk.  There is only a small handful of "serious and advanced adversaries" in our world.  Honestly, America knew who the culprit was. 

Let's flash forward 3 months.  It is now July 2020.

Mid July, Britain's National Cyber Security Centre publicly announced that Russian hackers sponsored by the state were attempting to steal COVID-19 related data.

Of course the Russian news agency denied all of these allegations, basically saying "You can't prove it..."

The NCSC pinned the attacks on a group named APT29.  Stating that a variety of tools and spear-phishing was in use. [7]

Now it is August 2020.

Russia has a vaccine!![9] Unfortunately experts say they have cut corners and rushed the vaccine out the door.  Their health officials say it is "safe and effective", even Putin's daughter got the vaccine.  But what else can you expect from a country where a majority of their national stations and newspapers are owned by the government [10].

As an extra jab, and honestly which I feel is directed at America, the vaccine is called "Sputnik-V" in honour of the world's first satellite.

I know I'm speculating here, all I have done is collect data to make a hypothesis.

Here are the proven facts:

- Two hospitals in the Czech Republic attacked, data stolen/corrupted

- Czechian National Security Agency confesses a "serious advanced adversary" at play.

- Russia has a huge cyber-criminal underground [11] (An "advanced adversary")

- The United States knew about the attack on the hospitals almost immediately.  (They monitor everything, let's not kid ourselves)

-Russian hacker group(s) were proven by multiple agencies to be actively targeting Covid-19 research facilities.

So here is my Hypothesis:

I will write it as a note to the people of the Czech Republic.

"Dear Citizens of the Czech Republic,

For what it's worth I sympathize that your country was attacked.  While people like Mike Pompeo can say their will be 'severe consequences,' please don't hold your breathe.  Yours[cyber attack] was but the first publicly disclosed incident in what I am very confident was a deluge of attacks against other research facilities that either never told anyone their was an incident or have no idea that data was stolen and still is being stolen.

The "seriously advanced adversary" that attacked you, was known by global powers.  They knew that you were a target before the incident.  

I don't know what to say but 'good-luck' because you are quite literally in the middle of a cyber battle ground being fought every day by global powers positioning themselves for strength.

My advice, and I urge you to take it.  Route out the nation-states resident in your critical infrastructure.  They are there and they are listening to everything.














Monday, 24 August 2020

"No Log" VPNs Not Safe for Much longer


VPN is becoming (already is) an essential tool for anyone who wants to surf the internet and have an their traffic encrypted and shielded from snooping eyes.

There are lots of service providers and it can seem overwhelming when selecting the right VPN provider.  

*Pro tip: Don't even consider a VPN provider if they keep logs.

What are VPN logs?  It's in the name, when you use their service they keep track of what you did and where you went (on the internet).  Obviously if we are paying for a VPN service we must have some interest in privacy so why should we care if they keep logs?  The problem is that when someone (authorities) requests these logs the company must hand over the logs.  Effectively all that privacy you are paying for is undone.  Hence the advice, use a "no-log" VPN service provider.

This is good advice, but what happens when those "no-log" providers still have data on you?  Everything you do online leaves a footprint to a degree even if that footprint is encrypted.

Pirate Bay has long been a spot on the internet to acquire various digital items that you want to torrent.  I'm not going to discuss the ethics of this right now ;)

Pirate Bay has been shutdown before [3] and there are a lot of people that have an interest in Pirate Bay being gone forever.  However those folks who tend to the Pirate Bay are not interested in losing that traffic.  Pirate Bay utilizes the services of OVPN a "zero-log" VPN service.

On a surface level if I was hosting a torrent site, ya I would want stuff encrypted and I would not want any logs.  However their is an anti-piracy group (Rights Alliance) who are actively trying to acquire information on OVPN for the purpose of shutting down Pirate Bay [1].

This is where the problem arises.  If a "no-log" has no data on it's users then how could anyone find a specific user?  If a "no-log" were brought to court, what could they actually turn over? 

Well that is what is happening right now, Rights Alliance, the anti-piracy group mentioned earlier, is trying to bring OVPN to court.  They have hired a supposedly resourceful and successful pen-testing company to find out as much it can about OVPNs users.

While there are no logs to be handed over, OVPN does have a database of users and they do have servers that are connected to users (the entire nature of their business).  As well OVPN is able to see who is connected to what IP address at any given moment. The pent-testing company fully understands the relationship between data and information.  When data it is collected and correlated it becomes information and information has power.

Why is this a big deal?

if OVPN, a "no-log" VPN service provider, is brought to court and loses why couldn't this happen to other "no-logs"?  If Pirate-Bay goes down because of the collection of this data, which it has to do in order to have it's service, It is conceivable that any "no-log" could be brought to court and a user could be handed over using the exact same methodology.

Our online privacy is constantly at risk.  Freedoms are not necessarily lost all at once, they are handed over bit by bit.

This is something to keep an eye on.





Tuesday, 18 August 2020

Proxy Daisy Chain

If you value anonymity and privacy then you likely are familiar with proxies and VPN.

Kali Linux has an amazing feature built into it that makes using proxychains so much easier.  There are loads of great resources out there to teach you how to set up and use proxychains on your system.  For some great tutorials check out the references at the bottom [1][2][3]. (These are great tutorials!)

For myself I want to focus on a companion script I wrote to automate parts of the proxychains process.

 In order for the script to work you need to also use my script "" you can find it under projects in this blog called "Proxy Import Script."  Very quickly, the import script retrieves a list of free proxies and creates a list, which then makes this list available where ever you need it.

Proxychaining is incredibly easy.  The method that my script is working with needs to have a set list of proxy addresses.  I only have access to free proxies online.  I don't want to go to the site and copy and paste it into the configuration file.  The below script will automate this for us.  

In previous blogs I have gone through the code line by line, I am not going to do that for this one.  Essentially this is what is happening:

- list of proxies imported

-open conf file

-search for particular lines matching pattern and update local list

-check to see if the script has been run before by removing old proxies

-add new proxies based on number selected by user

-clear the file

-print local list back into conf file

-boom we have an updated /etc/proxychains.conf file


This method does work, however you are at the mercy of the location where the free proxies were scraped from.  Also who knows who owns these free proxies, you take the risk on when you use them.

This script was fun! Honestly the better method would be to:

1. uncomment "socks4 9050"

2.install tor service tor service

This works so much faster.  My scrape proxychain scripts work, but if you are looking for a proxy-chain that will work every time, go with tor.

*take a look below for some setup things you should consider if you want to get my script working on your system.

Preset up of proxychains.conf

1. make a back up "cp /etc/proxychains.conf /etc/proxychains.conf.bak 

Modifying /etc/proxychains.conf

1.comment out "strict_chain"

2.comment out "random_chain"

3.uncomment "dynamic"

3.make sure that "proxy_dns" is uncommented

5. comment out "socks4 9050" we are not setting up our system for Tor





installing proxychains to debian system: