Forem: Steveland

How To Be Safe In a Cyber World

Steveland — Thu, 25 Mar 2021 10:11:10 +0000

Son wrote an article for his school newspaper.

I had his permission to post it, so here it is.

On the 23rd March 2021, the National Cyber Security Centre published an article that highlighted that hackers have been targeting educational institutions.

They would gain access to the schools and universities and lock down the data, and then demand payment to unlock the data.

Now, when you think about hackers looking for a target, you think about Banks, government offices, and big online platforms.

However, when you think about it, educational centres are just as valuable. Why?

They hold tons of interconnected information which helps the hackers gain valuable information. Let us examine my school as a target. We are considering the worst-case scenario but work with me here.

· Pupil information which may contain date of birth, addresses

· Teachers personal information such as bank details, name, addresses

· Each person has an Ipad which is connected to the main server. Apple has the ‘Find my Ipad’. I’m guessing here, but again, worst case scenario, they could write a program that finds all of the iPads. They now have a good map of where the Ipads are.

Like real life burglars, cyber criminals are looking for the easy target, but the IT staff at my school are always working to make sure that everyone’s information and systems are safe. This is why we have updates to our Ipads, why we use Ipads (they tend to be locked down more compared to Androids), we have strong passwords and, this is why we have certain applications locked down or denied to us. It is all about being safe.

So what can we do to have the same level of awareness. As we get more integrated with technology, it is important that we remain safe.

Here are some tips to improve your cyber security knowledge.

· Don’t install pirated Software – Pirated Software is a very big risk, you have no idea what the programmer has coded, they may have put in bad code into that Fornite auto aim software. I mean how else are you going to get that 360 no scope achievement.

· Passwords – You’ve heard this a million times, but there are several no-no’s when it comes to passwords

o Admin, password, password123 – Bad

o Personal Information – Pet names, mother's/father’s name, favourite sport – Bad

o Just numbers – 12345678

o Lowercase letters / uppercase letters – joker, batman – Bad

Why, computers are fast and they can be given a dictionary and they can run through the common words in seconds. What is better is known as a passphrase mixed with special characters, so a password such as:

Sw0rdJ3llyDr4gr0n! is a good password. It is not a good idea to limit the password as that is another rule that the computer can use to figure out the password.

· Smart Devices (aka Internet of Things) – Always make sure that you change the password to not be the default that it is shipped with. Some manufacturers are not as educated in security and it has been known for hackers to gain access to your internal network by using your smart light or fridge as an entry point – So change that default password.

· Routers – Why leave your front door open and invite everyone inside? Like the Smart Devices, change the default password from admin/admin to a stronger username and password.

· USB Stick – Never ever plug in a random USB stick that you are given into your personal or school computer. Only use a stick from a trusted source.

· Don’t click on random popups when you visit a site, that ask you to install software that you are not expecting.

· The last tip I can give is to make sure that any site that you go to is secure. You can tell because in the search bar is either a padlock or the website starts with https (the s is for secure) rather than http.

Education

There are some good sites that specialise in helping you understand and even help you understand how “hacking” works. In most cases, it’s teaching you the details of how computers, networks and programs work because to really break something, you have to know it well.

Here are some websites

· TryHackMe – https://tryhackme.com/

· National Cyber Security Centre - https://www.ncsc.gov.uk/

· BBC Btye Size - https://www.bbc.co.uk/bitesize/guides/znnny4j/revision/1

· PBS Cyber Security - https://www.pbs.org/wgbh/nova/labs/lab/cyber/

In closing, there are many aspects to Cyber Security and if people like this article, I can look into what jobs you can get within the industry. It would also be cool to have an after school club, but who knows.

When a crisis occurs - Panic

Steveland — Mon, 22 Mar 2021 07:37:43 +0000

Another week rolls on by and it has been quite eventful.

Managed to have my first COVID jab, so now I can recieve all the good TV stations although I do have some hotspots around the house. Now, I just have to make sure that my firewalls rules are in place and no unauthorised ports are exposed.
Did some more automation at work which is always good, it's nice to keep those skills sharp and have a plan of what I want to achieve and slowly make progress on it.
Had some American styled food to celebrate wife birthday, very yummy and tasty. Every single piece was cooked well, soft and well...We still have left overs Homer drool

In not so good news, my car broke down on the weekend, which is not what I want. Something to do with the starter motor dying on me, so now I have to wait for the garage to contact me to see what the damage is.

Relating the incident to , it has shown me that:

When you have a plan, and it doesn't go to plan, take a breather, think about the situation, pivot and then adapt (The original plan was going to be to drive it home and then get it to the garage).
When the environment is busy (3 kids in the car), it's important to have a clear head, and despite the initial panic. Try not to panic as that can spread to other people (Son saw the intial wide eyes), but after breaking down on a fast road. Was able to get the car to the side of the road. Takeaway - Figure out the initial priorities (Kids safety) and act on it, then plan for the rest.
Communication - Kept in contact with the wife, but didn't overwhelm with too much information. Told her enough to let her know what was going on and what the plan was. Same with the kids, let them know what the situation was, but obviously the style and delivery was not the same. Therefore, in my head, it's the same when you are in security, keep the lines of communication open. Let the relevant stakeholders know the situation but know how to deliver that message in a way that makes sense to them.
Presentation of Information - I was hoping it was the battery that went as that would be easier to deal with. However, I presume like an incident, the information is there to come to the correct solution, if you know what to look for.
- Lights were still working
- Low battery indicator had not come on yet
- The engine wouldn't even turn over (Didn't even make the usual clicking noise)
- Information about the steering wheel assist going showed up (It's amazing how heavy the steering wheel is when it doesn't have assist - and this is someone that is old enough to have driven cars pre power steering).

The above may seem cringeworthy but hey, it's what I thought about and writing down your thoughts is never a bad thing. The above makes me think of another post I did years ago on why Batman would be a good QA. I mean I did a whole page on it.

Immersive Labs

Attempted to do the Halloween CTF and I know that I'm on the right track, or I hope so. The main takeaway is that I'm learning about the tool PRET and what it can be used for. Also learning about what ports, printers are usually communicating on.
- So far, I've been able to log on to the printer using the correct printer language
- Navigated the directories to the print jobs to find the files
- Managed to get them to my local computer
- Converted the ps file to text file which reveals the picture information in a meaningful text format - However I'm sure the information is there in the many lines in the files, I just need a way of identifying it (I tried grepping for flag or token).

The thing I like about Immersive Labs is that they give you just enough information to move on and I like to think I'm making good progress with the free labs.

HacktheBox

Tried to hack the main invite page, as I knew that I did it before in the past. I remember enough to open the source code (although it does give it as the number one hint) and I knew that Javascript was the main focus clue but after ten minutes, I lacked the steps to take that information and use it. So I stepped back and went through the Academy that they have that taught me about:

JavaScript obfuscation and De-obfuscation
The tools and process needed to take the code and decode it
Converting the encrypted string and use tools to decode.

That was a nice knowledge dump to have, so now I have a good process and copious notes on how to decrypt encoded JavaScript code. Once I knew that, it was obvious on what to do.

I also did some more modules and learnt more about Burp Suite. I've used it before so it was more of a refresher course on how to intercept/Repeat the requests. Also had the refresher on how to manipulate cookies to hold different information. I have to say that it's a constant road of learning as it really is a case of use it or lose it.

Right now, I'm half way through the Networking modules, so going over again the different modules that deals with TCP/IP - OSI model. The different types of topology (Tree, Star, Point to Point, etc). It's quite heavy in knowledge, so I'm making pointed notes to read.

TryHackMe

Did some more modules on Networking. Alot of the tasks and investigation was around the different types of protocols and how to manipulate them.
- File Transfer Protocol
- Simple Mail Transfer Protocol
- Telnet
- Network File Systems

Generally, the process tends to be the same, the only difference seems to be the detailed steps on how to exploit it.

From what I'm seeing, it seems to be the following

Research the landscape, find the important ports
If possible, see if Anonymous access is available
If so, log in and do some more research on the server
Check for usernames or keys
If possible, use a reverse shell
......
Profit

Learning and Education

In other news, sat down with son and we went through some introduction courses. We used the Try Hack Me, introduction to Linux. So now he knows or as an idea on

IP Address, it knows that it's like an address that identifies a webpage or computer
Some Linux commands, so he knows how to list a directory using some flags, he knows how to cat a file, how to create a file and he knows how to run a binary script.
When he was answering the questions, he needed some guidance, but generally he was fine.

We also used a website that was less technical and more gamified and story driven - https://www.pbs.org/wgbh/nova/labs/lab/cyber/

Take cybersecurity into your own hands. In this Lab, you’ll defend a company that is the target of increasingly sophisticated cyber attacks. Your task is to strengthen your cyber defenses and thwart the attackers by completing a series of cybersecurity challenges. You’ll crack passwords, craft code, and defeat malicious hackers.

It uses challenges where you have to guess a password, use scratch to control a robot and much more.

In his words, the pbs site was easier to understand the concepts, while Try Hack Me was good in that I was learning real life skills.

I like to think he is engaged as he wants to write a school article about What cybersecurity is and how to make yourself safe (from his point of view). He did ask me if schools get hacked. I did reply that I've never heard of an incident but if you think about the data that schools hold, it's quite the minefield of information. He'll do some more research and write it up. As soon as he does, I'll publish it here as well.

Down the Cyber Security Rabbit Hole again

Steveland — Mon, 15 Mar 2021 11:19:29 +0000

I haven't visited this blog for a while, I guess, errr..Life got in the way. However, I'm back and keen to get back to writing more about my software life especially in the area of Information Security/Cyber Security.

So for reasons, that escape me, I ended up thinking about Cyber Security and decided to get back into it and start learning as I knew I enjoyed it last time. What I think I find interesting is

The 'Neo, I know Kung Fu' part when I gain a little bit of knowledge.
I'm the sort of person that needs to take the information and use it, I need to follow the breadcrumbs. For example, I'm looking at Wireshark and SMB. What I need are ways to step through and see what response is captured. I can then go, ah...that makes sense.

It's a long journey and I'm hoping to find a way into the cyber security space. I guess this is why I'm blogging, to show the journey and hopefully reach the masses, so when it comes to the question of, "What have you done to improve your knowledge?", I can point to this blog and showcase what I have learnt and more importantly, what I've learnt and realised along the way.

My son also saw what I was doing and he's at the start of is IT knowledge as he's used to press an app icon and it's there. Unlike me when I was his age, I had to figure out how to configure the extended memory to get the PC games to work, I was wondering why pressing RUN STOP and the reset button made you go into the lower levels so you could look at the machine code (I think). So I ended up teaching him what I think is the basis of all this.

"How to research for the answer", it's a section on Try Hack Me, but I think it's so important and it helps him in his other studies. Once he got used to looking at the text for clues, he started answering the questions on his own. I then showed him some basic linux commands as well as trying to explain what an IP address was and how all the computers were on a network. I kept it to 10-15 minutes as I didn't want to explode his mind.

I must have done a decent job as he sent me a video saying that I was a cool dad and that the cyber security stuff seemed interesting. #majordadpoints.

I did give him the following advice

What I got up to over the weekend.

Try Hack Me Profile

Immersive Labs Profile

There are various challenges that I attempted but didn't get anywhere with but that's part of the fun. Write down some notes to investigate later.

There was one where a countdown was occurring and my brain automatically went to, if I can stop the countdown, then it will stop. Well, what is a countdown. It's potentially a process, so let's investigate that (ps, top?). Ok, that doesn't seem to work so far. Just as I'm writing this, I'm thinking, maybe it's a cron job, so potentially, I should look into the /etc/cron section of the directory. It might not work, but the trial and error nature is interesting and doesn't demotivate me.

There was another challenge where I had to run a script and it'll return the token. So, without revealing what it is, the steps that "seem" to be on the right path was to run it normally and see what outputted. I then used file to see what type of file it was, and strings to see if there were any readable text. Once I did that, then I was able to see some sort of code (it looked like C). I then used objdump to show the assembly functions of the script. This was all done with intensive googling. Do I understand what's going on..No, but again, the fun is in finding out. What I need to do is find a way of stepping through the code to 'follow the data'.

It may seem like I'm failing on the labs on Immersive Labs but I'm finding that it strikes a nice balance. It provides you with enough information to get started, but not enough to spoon fed you the information. I like that.

The same with TryHackMe, it goes into more depth, but I do like the learning path which is why I didn't mind subscribing.

Areas I seem to find really interesting (so far, I have a long way to go).

OSINT aka 'Someone that is really good at finding out information'. - Doing the challenges made me get a nice warming fuzzy feeling on finding out snippets of information, putting it all together and answering the questions. If there is a way to continue to hone my OSINT, I'm always open to suggestions.

Networking - From reading, it's come to my attention, that the more you know about networking, the better. So again, at the start of my journey but over the weekend, I read about the OSI model, the different types of scans. Even Wireshark didn't look like a foreign language to me. I could map back the various layers back to the OSI, TCP/IP model. I could see the SYN and ACK going back and forth.

As I go through the various modules, I'll be sure to report back on my thoughts and opinions.

What I want to do again is connect with more people, listen to more podcasts (I tend to only listen to Darknet Diaries at the moment). So again, suggestions are welcome.

I wonder if BsidesCardiff is going to run again in the near future?

BSides Cymru Writeup - My Thoughts

Steveland — Thu, 03 Oct 2019 12:09:01 +0000

It was an overcast day, the train was virtually empty, people on their phones, chatting and going about their business. Looking around, I started to think about all things security.

On the wall, there was a poster that said that you could have in train wi-fi access. People generally trust them, how easy would it be to pretend to be that access point and get lots of people to connect.

Shoulder surf someone that's on WhatsApp? They're too busy talking with each other to really think about what information they're given out.

It makes you think...

Why was I thinking this?

I was going to a security conference/meetup. It was the first one that I knew of that was being held in Cardiff. The people responsible were Bsides Cymru.

Security BSides (commonly referred to as BSides) is a series of loosely affiliated information security conferences

This was the first one that they've held in Wales. So I was lucky enough to grab a ticket.

It was a day filled with numerous talks, Technical Villages and Sponsors.

I couldn't be there all day so I ended up arriving at midday. So my focus was on making sure that I saw the sponsors and the technical villages as I tend to learn by doing. That, and I wanted to people watch.

Talking about people, it was nice to see some people from diverse backgrounds and there were a lot more women present than I expected. (Only due to my experience in working in IT/Tech). It was nice.

So after wandering around the various halls and tracks and looking a little lost. ( I would fail at Social Engineering - "You lost Mate?...Er...no")

I found myself talking to the sponsors. I felt that my place was a weird one, almost an outlier. I wasn't a student and I wasn't fully in the world of Information Security. I'm just an experienced QA who has the skills to communicate with all levels, has experience testing APIs and Web Apps, some mobile experience and have recently got interested in Application/Web Security and Penetration Testing. It might not be true, I just had that spidey sense feeling.

What I really appreciated was the Mr Robot Capture the Flag . Looking at the times that were on the leaderboard, it made me feel stupid - but not in a bad way. It was a good self awareness exercise in that I knew that I have a long way to go in terms of knowledge. However, as I said to one of the people that ran the stall, I feel like I'm in the good period of learning. Everything is new, shiny and I get a good satisfaction when I get a new concept.

I let them know that I had no chance, but they kindly gave me a five minute introduction to Metasploit and Kali. It was appreciated and I learnt alot.

After completely missing the Lock picking village when I first got into the event, I found it and got a crash course in lock picking. Tried to get the feel of the 1 pin and I got it. Managed to unlock. 2 pin, I just couldn't get the feel of the second pin to find the sticky point. I guess more practice is needed.

I also stopped by the Car Hacking Village and despite most of the terminology being over my head, I did appreciate the knowledge and what you can do with cars if the owner is not careful. A lot of information is held within the Infotainment systems.

Networking - I didn't network as much as I wanted to, but it is hard at an event like that, especially when I'm trying to ensure that I take everything in. However, I did meet mRr3boot(@UK_Daniel_Card) and Security Nihilist (@a8n_pub). So, for me that is a win. Next time I go to an event, I can network with more people. It's a gradual process.

So, I enjoyed the event, loved the swag that we got, the food was excellent and the weather, despite being rainy held out enough to be decent.

I hope that as it gets bigger, that they do the following:

Have more sponsors to visit
Continue with the tracks and if you missed them, put them on YouTube (which they have)
The biggest change/introduction that I would love to see for someone like me is to have interactive workshops (like the lock picking) on various topics.
- New to OSINT, here's a workshop where you can use tools and methods to find information
- New to CTF, here's a CTF of different levels (I realise that there are tons on the net)
- Interested in Mobile Hacking - Here's how to reverse engineer a mobile phone and the information to look out for.

You get the idea, I think that it would be very popular.

Anyway, I've rambled on long enough. Let me know what you think and I look forward to attending next years event.

Presentations I would love to watch

Steveland — Mon, 02 Sep 2019 17:18:16 +0000

I was thinking if i could present or watch a presentation, what subjects would I be interested in.

Information Security

My Mobile App is leaking, what do I do?

With the amount of new applications that are on the Google and iOS Marketplace, it is inevitable that some of the applications are not going to be as secure as they should be. The focus of the applications are the easy targets of kids games. How do we know that the new Dora the Explorer app isn't mining your phone and telling the world your secrets. This talk will show you how to check the applications
What to look for when browsing the Marketplace
Permissions, why do you want to access that?

Is there any room at the Inn?

It's late, you've gone through passport control and you arrive at your hotel. You've paid €/$/£25 for next day breakfast and all you want to do is crash in your room.
- You get into your room and notice that they have Wifi. Sometime's it's a private one, sometimes it's a public wifi with no credentials. As a savvy user of the Internet, you want to know the dangers and what you can do to secure your laptop and data. This presentation will tell you how.

Did you check the front door?

You've got a new modem and you've hooked up all of your devices to your network. You've got your macbooks, PS4, XBoxes, Iot Kettle, your Google Home/Alexa. How do you check that you've locked the front door and no-one is spying on you.
- How to check your IoT devices
- How to ensure that you've locked the front door and you have no open ports
- Good Home Network Hygiene

Hi, My name is 'Name'

You work as a QA but you're interested in Information Security. How do you approach your Information Security department and integrate yourself with them. How do you let them know that you're interested in what they do. I know people enjoy talking about themselves (well maybe not Info Sec people, what with Social Engineering). How can you do the above without annoying them.

These are just ideas I've had and I'll be thinking and doing a post about the Quality Assurance talks that would be interesting. Let me know what you think and if there are good presentations about the above, then please let me know.

Testing the Event Horizon - My InfoSec and QA Journey.

Steveland — Sun, 01 Sep 2019 07:56:02 +0000

You must accept that you might fail; then, if you do your best and still don't win, at least you can be satisfied that you've tried. If you don't accept failure as a possibility, you don't set high goals, you don't branch out, you don't try - you don't take the risk. - Rosalynn Carter

This first blog post is going to be my effort to track my progress, to solidify what I'm aiming to do soon. By journaling about my progress, goals, and motivations, I will be able to keep a record of what I've achieved.

It also helps with the networking aspect if people read, like and comment on what I've written.

So what will I be blogging about?

Two main areas - Quality Assurance and Information Security.

Quality Assurance - I've been in the QA game since 2004 so it's been a while and while I haven't seen the wide range of what's out there in the field, I like to think that I've dabbled in a bit of everything. I'm a believer in exploratory testing, being an advocate of good quality being present within the team and I always view as automation as a good tool to aid rather than being the mythical unicorn that will come in and solve everything.

I'm starting a new job soon where I'll be defining processes and seeing what I can to do to improve. What I'll do is a blog about it (obviously generically enough to not give too much away). I think it will be a good way of

Tracking my accomplishments
Show to myself and others, that yes I do know what I'm on about
Connect to other people in the QA blogosphere.

Information Security - I've always been interested in Security in the context of Quality Assurance, but in the past, I've never really known how to start. Only recently, by looking at people on Twitter have I been able to step back and do some research on what Information Security means.

That is one of the reasons I chose the name Testing the Event Horizon - I know it doesn't make sense, but the way I see the field of InfoSec is that once a certain point, it just pulls you in and you have no chance of getting out.

I never realised that there were so many avenues in the field from research to incident response, to blue/red/purple teams and other avenues that I've not explored yet.

For me, it's a case of I think that I'm interested in Application Security more than reverse-engineering malware. I'm interested in wifi/phone security than having to look at assembly code.

However, I'm not going to say no as learning is going to be fun, I think that's where my interests are going to be focused on.

What I am doing is going back to basics and learning about networks and delving deep into APIs and really understanding what it means to test APIs. I@m also looking at resources such as picoCTF, Overthewire and OWASP Juice Box.

I'm also keen on getting a mentor in the InfoSec space.

So I'll keep this short and continue to write more.

Look forward to hearing comments.