Monday, 29 March 2021

Python - Super Quick Port Scan

Hey! I'm back at it and I wanted to share a small script that I use in my pentesting practice.  

When I really want to dig into a port scan I will go to my defacto tool, nmap.  However, before I get to this point I want to determine a few key things about a paying client.  

What is the low hanging fruit?

In a previous post I highlighted how we can use web scraping to grab a geolocation of a public IP address.  Maybe it's just me but I love knowing where I am pinging too.  

The tool I will be highlighting here is another one for the preliminary information gathering process of penetration testing.

scan.py


In the above image you will find the script.  It is super straight forward (I love python so much).

First I use my geo.py to find where the IP address is. (I have attached a general picture of the area where the public IP is that I am working with)


The next step is to use the scan.py

Immediately I know that this machine has a port of interest.

With this info I would want to go further with nmap and check versioning and OS etc etc. However it appears that we may have a fairly good avenue into this machine

Another quick way is with netcat (nc -vn [IP][port])  this actually can return service and version but hey! 

 This a post about python!!!

This script could be easily modified to scan a slew of popular ports.  I wouldn't go to crazy with ports because nmap is a much better tool for recon.  However something quick and easy like this is a nice way to gather initial information.



Andrew Campbell

Monday, 22 March 2021

A Unique Look at Securing Remote Users in 2021

Hi Everyone,

This week I am showcasing a colleague of mine.  
Thomas Llewellyn shares his thoughts on remote security!

Check out his webpage: https://www.oroshi.ca/

Roughly a year ago COVID-19 was declared a pandemic by the WHO and a mass exodus of employees from their office workplaces, into their homes, was commenced. This brought with it a number of urgent technical challenges which fell upon the shoulders of IT personnel worldwide, and are still being dealt with today.

The sudden need to support and secure an entire company's staff while they worked remotely was an issue that many organizations were not prepared for; administrators and supporting IT personnel had to think quickly to come up with a solution that was viable, and could be implemented as painlessly as possible.

Today I would like to look at what happened over the last year, as well as some of the major security issues that come with supporting remote users. Finally, I will shed light on how a small cybersecurity firm from California has come up with a simple solution works so well its a mystery that not more people are doing it.


The Great WFH Migration of 2020


At the time, the move to a WFH (Work From Home) model forced organizations to to quickly come up with ways to enable their employees to stay productive while keeping business assets safe, and IT departments or MSPs were tasked with implementing these solutions.

No problem, right? The tasks related to supporting remote users is part of the bread-and-butter of being an everyday IT hero:

Setting up remote access to desktops
Installing VPN clients for secure access to company networks and assets
Imaging company-issued hardware and creating Domain logins for Group Policy controls

This time it was different though: the sheer volume of users that suddenly needed to be supported, coupled with the growing trend of moving to cloud-based solutions, opened what I can only imagine was a Pandora's box of problems for IT staff around the globe.

So how did companies handle this? Speaking to different people about how their organization handled the sudden move to working from home, (and having experienced it first hand while attending classes at SAIT), I have heard an entire range of responses: from horror stories to it being "just another day" at the office.

Business As Usual


Some businesses, especially (modern) software development firms, already hosted their resources on cloud-based repositories like GitHub, and working from home just meant more time for coffee in the morning 🌞☕ 👍. Many of these businesses also communicated over collaboration apps like Slack, and video conferencing apps like MS Teams comes with Microsoft 365 Enterprise subscription, which many of them had.
All that was left was to do was implement new company policies on making pants a requirement for the morning scrum meetings...

Virtualization? Cloud? What's That?


On the other end, some company's lack of investment into their information infrastructure left them with little-or-no choice on how to get everyone working from home
(Trigger Warning! If you are currently working in IT, the following story may cause you some distress.)

A (very) large energy company in Alberta sent all their employees home with their personal desktops.

I don't think I need to go into too much detail with you about what kind of nightmare that would be to manage, (any more than it must have ALREADY been), but a few things do come to my mind:


IT and its abilities to protect and support a business did not seem to be a priority in that company.
Now that everyone took their desktops home, how are these being managed and kept safe?

o Backups?
o VPN?
o Remote desk... oh, right, nevermind 🙄

And let's think of the users for a moment:

Where are they supposed to plug in this computer?
Are they now covering the added energy cost of running a desktop in their home?
What about the additional risks that come with working from home? Having a company desktop left unlocked while other small (and curious!) family members are around, is a definite added security risk.

When I hear stories like this, I can only think of how many times the IT team approached upper management, begging for them to approve a move to something more manageable (virtualization, cloud-based infrastructure, etc.), only to have it deemed an unnecessary expense.
IT is often viewed as nothing more than an unwarranted cost, and unfortunately, the brunt of work that arises in these kinds of disasters falls on the very people who tried to prevent it in the first place. My heart goes out to you.
So the response to the pandemic and WFH runs the entire gamut of excellent to awful, which seems to have been directly related to how well that business managed their information infrastructure.
Now lets take a closer look closer at some of the specific security concerns that were being addressed, and why they may not provide an adequate solution for the issues at hand.

Security Concerns When Working From Home

The traditional "castle model" of workplace cybersecurity was suddenly made obsolete with the shift to working from home. This model had been slowly diminishing for some time, and now some major changes needed to be made, ASAP. If an organization hadn't already implemented a Zero-Trust network approach, they certainly needed to do it now: Every employee was connecting from a network outside of the company, on an undetermined number of devices of varying types.

How can these devices and their connections to the company network be secured? Sure, if it's a handful of employees, just image a couple laptops, give them Domain logins, and a VPN client to connect to the network. Next step, run sfc/ SCANNOW on a troubled user's computer, and go for coffee, right??
Okay but what if it's every employee? Does your organization even have that many take-home devices? 

How quickly can VPNs clients be set up on every device? And, let's be honest: does a VPN really secure an end device that will be on the same network as other family members who might be answering calls from "Microsoft Support"? ISPs will need to be contacted, as a major uptick in bandwidth is about to be seen, and the servers handling those incoming connections better be beefy enough handle it all.

On top of that, with the growing popularity of cloud-based solutions like SaaS, what if the users don't even need a dedicated tunnel to the company network? All they need is a browser, and they can go about their usual business. Hey, no worries then, right?! Wrong! Have you seen the number of toolbar addons that some people have installed on their personal computers? A VPN wouldn't save this device from malicious activity; for all you know, its already compromised, and probably needs the IT equivalent of an exorcism...

Alright, working remotely brings with it some serious security (and logistical) concerns, and traditional approaches of VPNs and company-issued devices aren't going to adequately cover them. Both end-users and IT admins need a good solution to keep everyone working safely: What's the best answer here?

From my (limited) perspective, the solution needs to include at least these basic four (4) points:
1. Users need to have some kind of hardware that can perform their normal work-duties
If they already own a desktop that can do their work, why change that?
If they need a laptop or other company-issued device, then so be it (but please, don't send them home with a Desktop!)

2. Any connection to the company network needs to be secure, originating from a Zero-Trust network of it's own
I'll get to this, but as we already discussed: a VPN does not prevent the spread of the latest ransomware, caused by a teenager's visit to a shady website. Much less: it now has a dedicated tunnel to your servers. Yay!
Zero-Trust needs to start at home! ("I'll take: 'Worst-sounding true statement of 2021' for $800, please" ✋)

3. It needs to be as simple as possible for end users
Or else they will simply find an easier (and less secure) way of doing it.
Imagined Support Phone Call with Bill from Management (sorry to any Bills out there reading this): "Okay Bill, now log in to the new Router that we sent home with you, and just partition the network into VLANs..."💀

4. Lastly, the solution needs to fall within a reasonable cost for the company.
Buying 100s of new laptops and setting them up for remote work may be doable by an elite unit of IT technicians, but is there a more cost-effective (and faster) way of doing this?
There are probably more considerations, but what if I told you that all of these points could be achieved with a single device, that takes less than 5 minutes to set up, with ZERO configuration for the end user?

Cyberlucent's SecureWorkHome (SWH) Device

I recently had the pleasure of meeting with the team from Cyberlucent, a cybersecurity firm based in California, with offices here in Calgary and Ottawa. They have come up with a unique approach to solving the problem of working securely from any location, and it's so simple it's almost unbelievable:

Piggybacking on the hardware of the Unity Dream Machine, Cyberlucent has made the SWH Device: a "Fully segmented, firewall protected, zero-trust, network segment operating within an otherwise unsecure network environment." All a user needs to do in order to get up-and-running is plug the SWH device into their router, and then connect their own device to it. On the other (business) end, the SWH device can connect from it's cloud node to an existing VPN server, or a dedicated SWH server. (See the images below, illustrating the different setup options).



As an added benefit, the network is continuously monitored by Cyberlucent's proprietary security AI, Cytheia, which "applies advanced data analytics, artificial intelligence, and machine learning to “see” into network traffic streams and […] extract[s] actionable cyber risk information". Come at me, hackers.

Uh, What?

After our conversation, I went straight to Google: Surely, the market would be flooded with these kinds of solutions. It's too simple; others must have thought of this already, and have market-ready solutions for me to choose from.
It turns out: it's not. There are some solutions out there, but having it all packaged together in one simple plug-n-play device has not become widely available yet.
Why aren't more companies doing this? I don't have an answer, but rather, I would like to open it to you:
What do you think of third-party solutions like this?
What are the serious drawbacks you see?
Are there other obvious solutions to working from home that you wish industry professionals knew about?
Maybe more companies offering these types of solutions will start popping up, but with the exponential rise of security threats, and the birth of things like Malware as a Service, I only hope that organizations act quickly and prudently to implement them



Monday, 15 March 2021

New YouTube Series: Wireshark Hide and Seek

 


I have a new YouTube series rolling out!  I will be regularly posting Wireshark tips and techniques essential to all security analysts.  

Check out my channel, I have a lot of other videos relevant to cybersecurity as well!

Here are the first 5 episodes!  If you enjoy my content please like my videos and subscribe.  Enjoy :)







Monday, 8 March 2021

The Admin is Dead...Long Live the Analyst



Let me tell you a fictional tale.  It has two colleagues and they both work in IT.

Two IT individuals walk into a bar.  They approach the bartender and order a drink.

It's a slow night so the bartender asks the first person what he does for a living.

He responds while pulling his sunglasses down to look the bartender fully in the face.

"I'm a cyber security analyst. I protect businesses from attack, I mitigate threats live!"

Bartender: "Wow that is so cool! All those things you said make sense from a high level.  I mean I don't know how businesses are attacked or what mitigating threats means but hot damn that sounds awesome!"

The bartender turns to the second person. "Are you an analyst as well?"

"Well not on paper, I'm a System Admin"

Bartender: "What?"

The Admin points his thumb at his col!eague. "He started at the company last week, I have been with the company for 15 years. I set up the infrastructure to support all our users, I installed monitoring software to analyze our assets for compromise, I apply patches regularly to protect the entire organization, I installed the hardware firewall my friend here uses every day, I write the scripts to automate numerous relationships between assets, I manage network and AD authentication......"

Bartender: "Cool.....So computer stuff!? Hey analyst have you ever stopped a virus?"

Analyst:"YEA BOI!"

Obviously the story is a bit glib and too be clear I have nothing against bartenders.

From my vantage point of the Education world I see signs that industry is changing.  It's not changing fast but the groundwork is being laid that will impact the future of IT.

It's no mystery that cyber threats have increased and not just because of Covid. All covid has done was create an environment by which cyber criminals flourished.

Cyber crime may use different tactics then 20 years ago but the basics of networking and best practice, I hazard to say haven't changed a ton.  Segmentation is segmentation.  A fire wall still analyze s TCP/UDP and a gaggle of other protocols.

Let's blame my Google bubble but I am seeing a lot less job postings for admins.  When I am travelling across the internet I see tons of offerings (ads) for security/network analysts.

Through cursory research and clicking on the first link presented(this was an intentional process, I wanted to see what my students were being presented with).  It appears that the role of an analyst is very similar to the role of an admin.

Maybe I am showing my old fashioned attitude towards admins, but for me the admin is capable of doing everything and that includes security.

What is the future of admins in industry?

This is how I see the future of admins in the new world of IT.  They will still be there but they will have specialized names.

"Security Analyst"

"Network Analyst"

"Database ...."

"Application ..."

Etc.

Etc.

I predict, if it is not already here, that having a "security analyst" will be a regulatory requirement for many industries.

There will be a massive hiring frenzy for security/network analysts.

The roles typically assigned to admins will be split up between separate specialized roles.

In the next few years the term "Admins" will be used less and less until eventually all that survives is the "Analyst."

To all the admins out there: You can do everything which makes you very valuable.  Don't get lazy.  You need to know that there is a generation if IT professionals coming behind you that are intentionally specializing.


Thanks for reading!!


Reference: 

[1] photo: https://www.blackenterprise.com/steve-jobs-perseverance-what-i-learned/woman-win-race-300x232/













Monday, 1 March 2021

Industrial Control System Hide-and-Seek


 

 I spend a lot of time researching and reading about security.

I love the subject matter and every once and awhile I stumble across something that makes my eyes bug out.

I say to myself...

"Did I read that correctly? Did that actually happen?"

There is so much happening all the time in cyber security that it is hard to stay on top.  It's a constant game of catch-up.

So I got an idea.  A personal challenge.

I have been reading recently about infrastructure and IoT.  I think IoT is the future and in the same breathe it's critical that we secure these assets.

From my research I have learned that the hard facts that CNI (critical national infrastructure) and ICS (industrial control systems) are woefully lacking in basic security.

The Challenge:

Within five minutes how many types of industrial control systems can I locate online and either connect to directly or validate that it is reachable online.

So with some quick googling and shodan.io at my side I set my timer and got to the task.

Keep in mind this is all within 5 minutes.

And this is what I found:

- Electronic Billboards

- Gas Station Pump Controllers

- Automatic License Plate readers

- Traffic light controllers 

- Red Light Cameras

- Voting Machines (US)

- Telcos running Cisco lawful intercept wiretaps

- Prison Pay Phones

- Tesla Charging stations

- Maritime Satellites

- Refrigeration Units 

- Wind Turbine Farms

- Commercial Vehicle GPS Trackers

- X-ray Machines

- Industrial Automation

- Door/Lock Access Controllers

- Railroad management

Now I have no plan on exploiting these assets, but keep this in mind that in only 5 minutes with some googling and shodan I was able to find and validate multiple machines within these ICS types.  

Now what if I actually had malicious intent? What if I had picked a target and spent significantly more time on the target?  What information could a person grab about the target organization?  How could someone move laterally from this target to some other unsuspecting asset?

Having connected devices is great, proper security considerations need to be forefront.


Andrew Campbell