Monday, 30 November 2020

How to Hide a Root User (activity) in Linux

The other day I was in a discussion regarding user accounts and zero width spaces.  We were talking about how it is possible to hide data inside of the zero width space because the space between characters is in itself a character as well.  That lead to the question could we hide characters in a user name?  Could a person create an account that to the naked eye looks like root but when the hidden characters are revealed the truth is that you have multiple "root" accounts.

What we learned was scary and should make every sys admin think about what they are reading in their logs.  If I am root and I see a task completed by root in a log, but I have no recollection of doing that task I should do some digging and make sure that I have no secret root accounts on my machine.

Normal Method of adding user.

In the above image we can see I added a user "testUser." This is the normal process with no bells or whistles.

I deleted testUser and added again but this time with root privileges observe the differences between a root user and a regular user (lines 3 and 6)

For comparison (above) I also show the existing root user.  Oopsie! I have two users with the same UID!

The next part is where the magic happens.  Using unicode I can create a user that looks exactly like another user but is different because I am using unicode for the special character of "Zero Width."  The extra unicode is enough information for the OS to differentiate that there are two users but to you and I we can't actually visibly see a difference.

Take a look at this picture below.

lines 1-2: I show current "testUser" on system

line 3: I add user like I did previously the only difference is (saddly you can't see it) but I add a zero width unicode character at the end (ctrl + shift + u -->200B)

lines 4-6: I show /etc/passwd file with the two users.  They look the same!! (FYI I technically have three accounts on my system with UID of 0 <--Bad)

In the next picture I switch to my zero width user.

So obviously if you are an admin and you have some automation set up to check /etc/passwd regularly then you will likely catch this.  Hopefully you have some OS hardening set up to prevent this from happening in the first place.  What the danger here is that I made a user that looks exactly like another user.  You can not visibly tell the difference between the two.  I could do what I want on this OS masquerading as a local user and the logs would all look legit.

Thanks everyone!

Andrew Campbell



Monday, 23 November 2020

A Tangible Example of Stateful Firewalls

If you spend any amount of time with FW you will encounter stateful FW.

The goal for this week's article is too shed some light on a stateful FW in action.  A simple demonstration will help those new to FW or those needing a quick refresher.

Before moving forward lets briefly talk about a tool that every IT professional uses.


The packet internet groper.  This little tool we use so much that we take it for granted.  Ping leverages ICMP and allows for me to send an ICMP packet to a target.  The power of ping is that with ICMP I van can evoke a response from a target.

I always pause here when I say this to students.

Because, think about it, a machine that was not anticipating a packet receives a random packet and then responds to it.

I usually demonstrate this concept by pinging a machine in Asia and observe the response. (I reside in Canada).

So there is the brief history on ping.  Keep this in mind as we continue on.

Above I am showing a simple network managed by a router.  On either side of the router I have separate LANs.  Static routing is already set up, so a machine in is able to ping a machine in and vice versa.

Above I am showing some rules on the OPT2 interface. These are outbound rules that say this:
- from .3.11 allow tcp/udp and connect to LAN machine 1.101 via port 3389
-block everything coming from OPT2 > LAN
- allow everything from OPT2 out (going to the internet)

Here .3.11 is attempting to ping .1.101.  As you can see the ping hangs and never makes it through.  Thanks FW!!

Here .1.101 is pinging .3.11 and we are getting a response.  I know this picture is boring but something awesome is happening.

Remember in previous picture that .3.11 could not send an ICMP Request packet?  From .1.101 however we saw that .3.11 did in fact send a ICMP reply, an ICMP packet!

This is where the magic of stateful FW comes into play.  In my FW configuration I am allowing all traffic from LAN to OPT2.  

All pings from LAN can get to OPT2.  My FW remembers communications (states) from LAN and because my FW is not stopping this transaction .3.11 is able to respond even though it has a FW that says nothing should go to LAN network.

Why is this useful?  Without this I would have to create separate rules for inbound and outbound.  Stateful FW takes care of this for me!

But don't get to comfy with the rules being "easy."  You have to be mindful of the communication relationship.  What packets are typically responses to certain packets?  If you are not vigilant to craft careful rules you could leave your network wide open for attack.

Thanks Everyone!
Andrew Campbell

Monday, 16 November 2020

Bleedingtooth, Russians, and Penguins

Hi Everyone,

This week I have partnered with with a colleague.  Josh Kozak wrote an awesome article.

Check out his LinkedIn profile:

Josh Kozak


Due to the limited desktop use of Linux I always forget that there indeed exists malware for Linux based systems. This coupled with the fact most distributions of Linux have adopted popular security tools like SELinux, FirewallD, UFW or Iptables baked right in for ease of use, it’s easy to feel safe and secure in a Linux environment. However, recently two reports came as a reminder to update kernels and detection rules.  One of course being a widespread Bluetooth vulnerability affecting the BlueZ library and the other being the NSA report detailing the Drovorub malware tool for Linux systems.


 Bleedingtooth was the name given to the Bluetooth vulnerability found by google security engineer Andy Nguyen, who then reported it to Intel. [1] It’s reported that the vulnerability affects BlueZ, which is the official Linux Bluetooth stack. Essentially Bleedingtooth allows an attacked within Bluetooth range to send a malicious l2cap packet to execute code with kernel privileges. While the attacker not only has to be within range but also the device must be set to discoverable within Bluetooth for the attackers to be successful.

Now while that may seem to be a very specific set of circumstances for the vulnerability to be taken advantage of, it’s important to remember that BlueZ is also found on most Linux based IoT devices. This would allow attackers to pick and choose their targets at leisure and through those devices gain access to even greater network bounties. Being IoT devices it would also be a safer bet that they may be missed on a sweep of system/kernel upgrades that occur and could be running kernel versions that are vulnerable.

Intel announced that upgrading your kernel to a version of 5.9 or higher will fix the vulnerability from existing. They also released various patches for kernels in case full kernel upgrades were not viable. 


 I find the NSA report detailing the Drovorub malware far more intriguing however, simply put it’s a full swiss army knife for Linux systems. The most interesting part itself comes from the fact it’s reported to have been created by APT28(military unit 26165 of the Russian General staff Main Intelligence) [2]. Drovorub itself is basically four different executable components: drovorub-server, drovorub-agent, drovorub-client, drovorub-kernel module.

The client gets installed on the targets system by the actor and then can receive commands from the server and offer file transfer to/from the system it’s installed upon. The client also gets packaged with the kernel module which provides a rootkit based stealth ability to hide the client and kernel module themselves. While the server and the agent are typically both installed on infrastructure that the attacker controls themselves. The server keeps a database store using MySQL for registration, authentication and tasking to the agent. The agent receives commands from the server and its purpose is to mainly upload and download files from the client and forward network traffic through port relays. [3]

To defend against the drovorub malware it is recommended to update the Linux kernel version to at least 3.7 or later. There are also rules for both network-based and host-based detection that are available from the report as well. The report also goes into memory analysis to help find any instances of the malware as well.

The fact that these tools are bundled together will make it easier for scripts to be written that could potentially lead to targeting of older production systems that may not be so assured to have working current backups. Also, when you look at where Linux is mostly being used (business/production servers, industrial PLCs and IoT devices) this leads one to think that originally these tools were most likely created for industrial or commercial espionage. Add to the fact that this all works for kernel versions much older than current would lead me to believe there are far more malware tools out there that are just as effective against newer Linux systems as well.

These two reports had me pause and check what I was doing with my Linux system on my laptop. I ran through a list of things from checking my kernel version to how my Bluetooth service launched and ran. I even realized that the install I had performed hadn’t really been configured with a firewall even. So, no matter how secure your castle feels, it’s always a good idea to go out and check for cracks in the foundation.

Monday, 9 November 2020

Data Stealing: The Next Logical Step for Adblockers

 Depending on what side of the fence you are on you either love AdBlockers or you hate them.  Content creators and such hate AdBlockers.  Their dislike for this software is justifiable, they depend on the revenue that comes from clicks.  As a regular user of the internet though it can be quite jarring too see all the adds on a website, or be watching an interesting video and then you are subjected to a 3 min video about a new truck.

Even popular services like Twitch are working to combat AdBlockers [2].

I personally have been using adblockers and utilities like Pi-hole for so long that when I see a Youtube add I actually have to pause for second because it has been so long since I have seen an add.  I literally kind of forget that adds are a thing.

Recently though it has been discovered that some adblockers were actually be used to steal data [1].

In this blog I'm going to dive into how AdBlockers tempt folks to steal data.

I'm surprised we haven't heard about data being stolen from AdBlockers sooner honestly.  If you think about it, from a high level, AdBlockers act as middle men between your communication from your browser and the website.  When aAdblocker detects a script that smells like an add it stops the script from running.  So why am I not surprised AdBlockers are being used maliciously?  Well if the software is going through the work of detecting "add" scripts, why not go the extra step of tracking user data?  

Data = $

Maybe it is my google bubble but most of the research links that came up revolved around how to circumvent adblockers.  Even more evidence that people are invested in getting around your browser plugins.

I did find an interesting article describing a technique [3] that web developers use to detect if you are using an ad blocker.  To summarize the article you plant a dummy javascript on your site and if the script is triggered by an adblocker it will fire up an alert.  This is likely the method that is in play when you are moving around the internet and you get a window that comes up "Hey why are you using adblocker?! We need money too!!"


The most popular way to get adds on your website fast is using Google Adsense.  If your website is in compliance with the rules that Google has set, then you are allowed to begin participating in the program.  Above is an example of adsense code that is inserted into your website.

This code isn't particularly complicated.

It's a script that exists somewhere in your website code and when visitors land on your page they will be presented with the add that is linked in the script.

Adblockers work in a similar way in that they are in themselves a script that analyzes the website code(similar to how webscrapers work).  The script looks to see if particular patterns are met and then prevents that script from running.

That brings me to the whole point of this article.  If an adblocker is already set up as a middle man analyzing a website before you land on it, wouldn't it be a simple step to add another line of code that sends page stats that you are on to a server somewhere else?

Imagine if 300,000 people are using your adblocker.  You are a smart coder with gumption and you understand that data has value.  300,000 regular users is nothing to turn your nose up at.  A person could sell that data.  The temptation is real.  From a monetary standpoint I can see why people would do it.  From an ethical standpoint I think it is flat out wrong.

What can you do?

Well honestly, read.

Often the best strategy to understanding the security of software is to read about it before you install it.

- Are there reviews?

- Do reviews trigger any ethical red flags for you?

- Is the developer up front about what and how they are using your data?

- Or......stop being an early adopter (I feel like I could write a whole article about early adopters).  The benefit of waiting a bit is that you can read reviews and see what people say.  Why do those tests on on your own systems when you can let other people do the work for you?

- Run apps you want to test in a virtual environment

Educate yourself on the applications you are using because nothing is free.  That free app you downloaded is getting paid somehow, likely by selling your data.






Thursday, 5 November 2020

Network Security - A Calgary ISP (Critical Analysis)

The other day I came home and I saw a pamphlet in my mailbox.  It was a local ISP tempting me to purchase their services over my current provider.  (this article is by no means meant to be slanderous towards an ISP in my area.  It is meant as a critical analysis of a provided service).

You should know that I truly don't care who my ISP is.  I take care of the network security at my home.

This provider, who so kindly left their info in my mailbox was offering $6/mo for additional security services.

Here I am, a person mindful of cybersecurity, I was left wondering, what can $6 do for me that I can't take care of myself?  Or is this just a ruse to dupe folks into signing up for internet packages?

I'm conducting this analysis in a different way, I'm going to write my thoughts down as I read about their $6 additional security.  I think it will be a fun experiment, maybe my view point will change by the end!?  As of this writing, I know nothing about what comes with the $6 or why anyone should buy it. I will be tongue in cheek.  You have been warned ;)

Let's dive in.

You may have figured it out by now but yes it is Shaw. A quick look at their website and I have a few questions.

Right away we are given a generic statement.

"Attackers use several methods to steal your files, information and identity, or even attempt to takeover your device. Network Security helps defend your network and devices from these threats." 

It goes on to list "Ransomware" "Hacks" "IOT".

Save me from the Hacks please!!!

Further down in order to get more info you need to be a customer, however I was able to get this.

"For just $6/mo44, get comprehensive cyber security for your home network and protection for up to 10 devices44 with McAfee® Multi Access."

I think people may have split opinions on McAfee.  I tend to view anything related to this company with trepidation.

 McAfee Multi Access boasts the following:

1. Anti-Malware

2. Anti-Virus

3. App Protection (I actually find this kind of advertising frustrating, what does that even mean? App Protection?)

4. ....and a whole suite of Security tools!

At this point there is no more information on the website. I have to start digging in other piles now.

I found a link that explains a bit more about Multi Access. [3]

There is a video on the link and it explains that "If you are at coffee shop you are quite vulnerable."  This is true and MA apparently can detect if someone is trying to "hack" you.  Not much details on how though.

 The video further goes onto explain that you can track, lock and wipe remote devices.  This is actually a very useful tool.  Having control of MDM for your own devices is a nice security feature.

A single license directly from McAfee will protect up to 5 devices, with this ISP you get 10.  Do you have 10 phones/tablets at home?

According to the site you get alerts if a website is "suspicious." However with a small amount of education you can be able to catch these sites yourself.  Also there are many browser plugins that can do this work for you, and honestly probably do a better job at it.

App protection.  As you read earlier I was confused by what this means I found a video that explains it [4].

Basically, when you download an app MA will do a scan and give you a risk rating on it.  At this time it will give you an option to delete it if you want.  Some would say that if an app was built with malicious intention, the damage is already likely done by just downloading it.  So this feature might just be making people feel good about "catching" a bad app.


I wish that this ISP was more up front about what comes with the $6 fee.  Its peanuts in the long run, but their primary sales website is so broad that I feel like it was obvious that their target market are folks who are unaware of general cybersecurity. 

The primary site talks about "..many other security tools!"  I could not easily find any info on what these tools are.  Are there actual tools?  I am skeptical.

MA is geared more towards your mobile devices, tablets and phones.  It doesn't seem to be a great fit for desktops/laptops.  My opinion on this is based solely on the fact that most of MA's features are focused on phones.  You can track, set off an alarm on the phone, take a picture of whomever has stolen it and finally you can wipe the device.

If wiping a stolen phone is your primary reason for wanting this service then I guess it is not a bad option because the other features are not really worth it honestly.

There are open source tools that you can add to your systems that will help protect you as you browse.  Also if you have any ounce of security awareness then you can probably come to the conclusion that all of the "features" they are offering you can easily be taken care of by yourself.

So MA is a decent tool for users who have limited security awareness but for those who are cognizant of security you can easily protect your environment with out paying extra for MA.