unstruct.ai - An AI-Enabled, Open-Source Alternative to PagerDuty. With UnStruct.AI, you're not just getting another cybersecurity tool – you're getting an all-in-one powerhouse. Instead of juggling multiple tools and racking up costs for each, get everything under one roof. Whether it's for paging, incident response, analysis, status updates, SLO/uptime monitoring, or a sprinkle of tech magic.
Monday, November 27. 2023
SIEM, Incident Management
Sunday, October 29. 2023
DNS Threat Policy Zones
- a href="https://www.first.org/resources/papers/aa-dec2021/Protective-DNS-a-Boris-Slides.pdf" target=_blank>Protective DNS – Why It Matters, How to Deploy It On-prem, and to Take Control and Defense back
- Threat blocking
- Introducing 1.1.1.1 for Families
- Cybercrime Supply Chain 2023: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them
At one point Firefox was going to send everything to their favorite DoH resolver but they got a great deal of pushback from people who pointed out that they had policies on their networks and they'd have to ban Firefox. Firefox responded with a lame hack where you can tell your cache to respond to some name and if so Firefox will use your resolver.
Wednesday, July 19. 2023
Wireguard in a Debian LXC Container
There was a note on reddit/r/debian which states that Wireguard is fully integrated into the Linux Kernel as of kernel v5.10. I suppose I could have saved a bunch of drama with upgrading to Bookworm which has kernel v6.1 natively, by instead using Bullseye-Backports, but I decided to go all the way. Hindsight is 20/20. A few other machines were already running Bookworm so I thought I had no problems.
It is nice to see that wireguard-tools references nftables. And there are a number of examples as reference for various scenarios.
So, with Wireguard in the kernel, no dkms installation is required. Just the installation of the tools (assumes root or sudo). Use the --no-install-recommends, otherwise your kernel will be replaced with a real-time kernel.
# apt install --not-install-recommends wireguard-tools # cd /etc/wireguard
Create the keys for a peer to peer session:
# wg genkey | tee key_server_private | wg pubkey > key_server_public # wg genkey | tee key_client_private | wg pubkey > key_client_public # chmod -v 600 key* # ls -al /etc/wireguard/ total 20 drwx------ 1 root root 54 Jul 18 04:30 . drwxr-xr-x 1 root root 2348 Jul 19 01:29 .. -rw------- 1 root root 45 Jul 19 02:49 key_client_private -rw------- 1 root root 45 Jul 19 02:49 key_client_public -rw------- 1 root root 45 Jul 19 02:49 key_server_private -rw------- 1 root root 45 Jul 19 02:49 key_server_public
A sample edge interface for server side termination of VPN (file name: wg0.conf):
[Interface] Address = 10.20.10.1/24 #SaveConfig = true ListenPort = 51820 PrivateKey = <server private key> [Peer] PublicKey = <client public key> AllowedIPs = 10.20.10.0/24
A sample client interface, say on an Android for connection back to the server side (flie name: wg0-client.conf):
[Interface] Address = 10.20.10.11/24 PrivateKey = <client private key> DNS = 10.10.30.100 [Peer] PublicKey = <server public key> Endpoint = <server outside address>:51820 AllowedIPs = 10.20.10.0/24, 10.10.0.0/16 PersistentKeepalive = 21
If the allowed address is '0.0.0.0/0', then all traffic goes through the VPN. Use ipv6-test.com or ipleak.net to verify that traffic is going trough the VPN, or use something like WhatIsMyIpAddress.
Impressively, someone has created a QR generator which will generate a code to the terminal window (not a graphic file, but an ansii thingy in a terminal window). This can then be scanned by Android WireGuard to load the configuration.
$ qrencode -t ansiutf8 < wg-android.conf
I use a saltstack script to build a zone based firewall composed of nftable rules. Basically two rules are needed: a) burn a port through the firewall, and b) allow access to the interior network sections for one or all ports.
To turn on the interface and start it automatically:
# chmod -v 600 /etc/wireguard/wg0.conf # wg-quick up wg0 # systemctl enable wg-quick@wg0.service
To turn off the interface and keep it off:
# wg-quick down wg0 # systemctl disable wg-quick@wg0.service
To show connections and status:
# wg show interface: wg0 public key: <server public key> private key: (hidden) listening port: 51820 peer:endpoint: :4496 allowed ips: 10.20.10.0/24 latest handshake: 44 minutes, 26 seconds ago transfer: 2.50 MiB received, 33.47 MiB sent
With the SaveConfig enabled, more clients can be added and saved:
# wg genkey | tee key_mac_private | wg pubkey > key_mac_public # wg set wg0 peer <mac public key> allowed-ips 10.20.10.12/32
Stan's Blog mentioned terminating the server side VPN on UDP port 53. Many/Most networks allow this out, so would/could be a way out of a heavily protected network to the destination.
Note: this config was added to a privileged lxc container, nothing special was required for building the wireguard interface.
Sunday, November 6. 2022
Principles of Secure System Design
- A capable attacker will look for plaintext
- red/black separation
- Schneiers's principle
- Zooko's tradeoff
- Kerckhoffs's Principle
- Corollary to Metcalfe's principle [2]
- It is easier for insiders to steal information - also janitors, cleaners
- Design for known threats
- Design for future threats
- Design for unknown threats as far as possible
- existing systems persist
- defence in depth
- monoculture -> target more attractive, usually more brittle
- the capital and operating costs of well-designed secure systems are about the same as those of insecure ones until the insecure ones fail
- keep intrusion records
- keep i/o records
- cheap and effective security needs good system design.
- if it's expensive, it probably won't be effective.
- Unless it is for your use alone you do not control what a system is to be used for
- Even if it is for your use alone you do not control the resources which will be pitted against your system
- cryptanalysis is difficult - but people can do difficult things
- people offering the impossible are lying
- in code, nothing ever really goes away
The principles can sometimes be broken or wrong, unlike the laws.
[2] the security of a secret is inversely proportional to the square of the number of people who know it
- Peter Fairbrother
Laws of Secure System Design
- It's all about who is in control
- Someone else is after the things you have
- An attacker can't steal things which aren't there to steal
- Everywhere can be attacked
- More complex systems provide more places to attack
- Attack methods are many, varied, ever-changing and eternal
- Only those you trust can betray you
- Holes for good guys are holes for bad guys too
- A system which is hard to use will be misused, abused and underused
- Security is a Boolean. [1]
- Items of data once publicly linked cannot be reliably unlinked
[1] Looking back in time from the future - did it work? Then it was secure enough. Can be hard to see that from the present though, and even from the future not all harmful breaches can be seen.
- Peter Fairbrother
Sunday, April 10. 2022
Mail Flow Settings to Consider
- IP -> PTR lookup -> that hostname lookup, and match to IP again
- SPF
- DKIM - one possible implementation: OpenDKIM - opendkim is an excellent tool, which helped find the real problem with a simple "Diagnostics yes" in the config file.
- DMARC
- ARC (for mailinglists)
- SRS (When forwarding, rewrite the From and resign DKIM, and then ARC-sign that)
- Decent TLS
- MTA-STS
- DANE
Use a site like internet.nl for testing mail server configuration and capabilities
Follow up comment: Google at least adds ARC headers in Gmail, and did the editing of RFC8617. ARC – Authenticated Received Chain
Follow up comment: Bimi Group - is snakeoil, or well, a scam is more like it: if you can pay and they like you, you get a logo, anybody else is out... marketing companies of the world (and the once earning money for bits ala domains and worse EV SSL certs... rejoice)
Follow up link: mailing lists are the ugly stepchild
Settings for mailing list:
We have SPF, DKIM signing, and a DMARC policy that sets p=none.
We're not setting p=reject, considering the number of mailing lists our users are on that are outdated or based on EOL software (including this one which depends on python 2.7, and including our own which have the same problem). It's impossible to know, from the outside, how mailing lists are configured. Mailman3 is...special. That's a rant for another time.
We get about an email a week from someone emailing security-officer@ trying to get a bug bounty telling us we should set p=reject. There's an ecosystem for this stuff.
Note: Yup. Gmail has made it quite clear that they will not accept v6 mail that isn't SPF or DKIM authenticated. DKIM is more work but works more reliably.
ARC: It's certainly not a magic ticket into an inbox but it is slowly helping undo DMARC mailing list damage. It's not important unless you forward mail like a mailing list does.
What ARC does:
ARC addreses the problem that mailing lists do a lousy job of spam filtering, A list that usually sends lovely clean mail sometimes doesn't, since a typical list forwards anything with a subscriber's address on the From line including spam from cleverish spammers who take pairs of from/to addresses from stolen mailboxes.
ARC lets the recipient system look back and do what we might call retroactive filtering, using info about messages as they arrived at the previous forwarder. While it would be nice if lists did a better job of spam filtering, they don't, and ARC is a reasonable remedy for that.
Additional protection settings:
I run my own mail server and have no trouble at all delivering mail to Gmail over IPv6. I do have SPF, DKIM, DNSSEC and DANE on my mail servers. My DMARC policy is p=none. If it matters, the MTA is a heavily hacked version of qmail.
Someone mentioned nullmailer as a small mail program that allows you (or your system) to send mails through an existing email account (using an SMTP server).
In response to "Clearly, someone used the reputation of ImprovMX.com to deliver emails by forging them before delivery., "DKIM replay attacks preventative measures
2022/04/24 added - DMARC Domain Checker
2022/06/12 added - Email Audit - Check the DNA of your email against important best practices.
Tuesday, January 18. 2022
Papers 2022/01/17
Security Orchestration, Automation, and Response Engine for Deployment of Behavioural Honeypots
Cyber Security is a critical topic for organizations with IT/OT networks as they are always susceptible to attack, whether insider or outsider. Since the cyber landscape is an ever-evolving scenario, one must keep upgrading its security systems to enhance the security of the infrastructure. Tools like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Threat Intelligence Platform (TIP), Information Technology Service Management (ITSM), along with other defensive techniques like Intrusion Detection System (IDS), Intrusion Protection System (IPS), and many others enhance the cyber security posture of the infrastructure. However, the proposed protection mechanisms have their limitations, they are insufficient to ensure security, and the attacker penetrates the network. Deception technology, along with Honeypots, provides a false sense of vulnerability in the target systems to the attackers. The attacker deceived reveals threat intel about their modus operandi. We have developed a Security Orchestration, Automation, and Response (SOAR) Engine that dynamically deploys custom honeypots inside the internal network infrastructure based on the attacker's behavior. The architecture is robust enough to support multiple VLANs connected to the system and used for orchestration. The presence of botnet traffic and DDOS attacks on the honeypots in the network is detected, along with a malware collection system. After being exposed to live traffic for four days, our engine dynamically orchestrated the honeypots 40 times, detected 7823 attacks, 965 DDOS attack packets, and three malicious samples. While our experiments with static honeypots show an average attacker engagement time of 102 seconds per instance, our SOAR Engine-based dynamic honeypots engage attackers on average 3148 seconds.
Tuesday, November 2. 2021
crunchy on the outside, chewy on the inside
Today, if you want to do a ransomware attack against a business, first you go on a wardrive, collect a pile of passwords, look for wifi networks of interesting businesses, and then start hacking their network from the inside. You will find plenty of information in the clear on the inside to mount a spearfishing attack, not to mention you will be able to collect a pile of hashes of passwords used on the internal network, and then find a pile of administrative passwords.
The most serious flaw shown here is the delusion that "inside" is more secure than "outside". The good old crunchy on the outside, chewy on the inside... If you are not managing your network with the assumption that the barbarians are already inside, then you are setting yourself for trouble.
Seen on cryptography mail list
Friday, October 22. 2021
What is Yours is Mine
My point is ... there is nothing out there on the Internet that needs data from my device - at least not for any reason useful to me - so there's no need for the device to be able to send packets. -- bear
Saturday, March 20. 2021
Open Source Security: Abstracting the Control Plane
From Key Takeaways:
- Open source programs are typically platform-agnostic, allowing them to be used in nearly any cloud and run with any application.
- Encryption is a fundamental security feature.
- Open source programs like Let’s Encrypt use encryption to ensure website domains and other programs have secure communication protocols.
- Virtualized security functions are best used with software-defined security orchestration because that brings out benefits like automation and function scalability.
- By using an open source update system framework like TUF, attackers have a harder time manipulating the update system and corrupting software.
- An open source policy controller works across clouds and platforms and enables application policies to be more uniformly applied and enforced in those environments.
- A modern open source runtime security program can better protect a cloud-native application because it can work with many cloud-native applications across multiple clouds.
References to:
- Open Security Controller Project
- The Update Framework
- Open Policy Agent - meat and potatos of policy evaluation and deployment
Sunday, March 7. 2021
"Policy Enforcement" vs "Firewall/IDS"
Bringing this back to security—instead of thinking “I need a firewall,” you should be thinking “I need a Policy Enforcement Point that can control network traffic, and a way to define that policy across my infrastructure.” Or, from another angle—instead of thinking “I need to deploy an IDS here to examine my web app traffic for SQL injections,” you should be thinking “I need to make sure that the web application traffic is scanned for SQL injections before it is processed by the app. I have several PEPs in my architecture that may be able to accomplish this goal.” -- Zero Trust Security, An Enterprise Guide, p51
Sunday, July 5. 2020
SSH Tooling
Some SSH advanced features:
- SSH Emergency Access - design a break glass procedure for reaching SSH hosts in an emergency, using security keys that you can store offline
- How to SSH Properly - a few different ways to easily improve the security of the SSH model without needing to deploy a new application or make any huge changes to user experience - certificates, bastion hosts, 2-factor authentication
- SSH Handshake Explained
- gravitational / teleport - from How Uber, Facebook, and Netflix Do SSH
2021/09/20 - I have some SaltStack code I have yet to publish which implements a solution using the SaltStack event bus to send user and host ssh key/certificates to an ssh certificate authority for signing, and then returning and installing the signed certificates. I say this because today I read about HIBA Host Identity Based Authorization in an article at Google: Announcing HIBA: Host Identity Based Authorization for SSH .
Monday, January 20. 2020
Network Monitoring and Protection
- Zeek s a powerful network analysis framework that is much different from the typical IDS you may know. (Zeek is the new name for the long-established Bro system. While focusing on network security monitoring, Zeek provides a comprehensive platform for more general network traffic analysis as well. Threat Hunting with Bro IDS
- BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. The repository contains 2443 tools. You can install tools individually or in groups. BlackArch Linux is compatible with existing Arch installs.
- Stratosphere IPS for Linux is an intrusion prevention system that is based on behavioral detections and machine learning algorithms. Makes use of Zeek.
- Security Onion - Linux distro for intrusion detection, enterprise security monitoring, and log management
- SecTools.Org: Top 125 Network Security Tools - several years old for the newest releases (looks like 2016 is most recent). Doesn't have tools like Suricata.
- Argus s the first network flow system, developed by Carter Bullard in the early 1980's at Georgia Tech, and adopted for cyber security at Carnegie Mellon's Software Engineering Institute in the late 1980's. Network flow technology has become a critical part of modern cyber security and Argus is being used in some of the most important networks in the world. - last code around 2016 though. security links.
Papers:
- Botnet Detection and Prevention inSoftware Defined Networks (SDN) usingDNS Protocol in (IJCSIS) International Journal of Computer Science and Information Security,Vol. 17, No. 5, May 2019
Monday, December 9. 2019
Cygwin ssh-pageant
On a Windows platform, I use SSH tools in two incarnations: a) Cygwin, or b) PuTTY.
When using PuTTY, to connect to a destination host, it is convenient to use pageant as a memory resident program to hold 'opened' private keys.
When using SSH on Cygwin, ssh-pageant can be installed via the Cygwin installer. The trick for linking ssh-pageant to the Windows resident pageant is to put the following into .bashrc:
# ssh-pageant eval $(/usr/bin/ssh-pageant -r -a "/tmp/.ssh-pageant-$USERNAME")
Wednesday, December 4. 2019
Security Tools
- Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.
- OWASP Zed Attack Proxy (ZAP) - helps you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing. With more tools at OWASP™ Foundation - the free and open software security community.
- Upgrade Your Security Incident Response Plan (CSIRP) : 7 Step Checklist 1) conduct a complete risk assessment, 2) identify key team members & stakeholders, 3) define security incident types, 4) inventory resources & assets, 5) plan hierarchy of information flow, 6) prepare a variety of public statements, 7) prepare an incident event log
- CISA - Assessments: Cyber Resilience Review (CRR)
- What is a Security Operations Center (SOC)? Best Practices, Benefits, & Framework - 1) establishing asset awareness, 2) preventive security monitoring, 3) keeping records of activity and communications, 4) ranking security alerts, 5) modifying defenses, 6) maintaining compliance
Security Web Sites
- Hacking Tools presented for pentesters - Kali Linux, Parrot Security OS, Black Arch, Nmap, Metasploit, Nikto (how to at Admin Magazine), Wireshark, SQLMap
- Mining Adminers – Hackers Scan the Internet For DB Scripts - I found "GET /adminer-4.4.0-mysql.php HTTP/1.1" in my own logs, one of many similar entries