#!/zitstif.no-ip.org/

I haven’t posted in a bit and thought I would update my site and share some quasi-random thoughts and lessons learned in IT/InfoSec in the past year or so:

1.) Having enough staff and support that handles IT/InfoSec matters is not only an operational concern but also a security concern. There have been plenty of instances of businesses being compromised or having issues during holidays when they’re running on a skeleton crew. There are businesses who try to continuously run on skeleton crews and use automation to augment them. In my humble opinion this is more of a risk than what it’s worth. Which leads me to my next point.

2.) Revenue and control are top priorities for businesses. I would even argue revenue is more important. Having and running a business is a risk/reward venture. People who take the risk of starting and growing a business are willing to do what helps the bottom line. This means that they don’t necessarily care about if they’re using vulnerable software or infrastructure. They don’t care how much you can ‘pwn’ them; they want to know how much of a risk it is and will it affect their bottom line. Adding to this point, years ago I remember seeing posts (that I can’t find at the moment) that some western businesses knowingly/assumingly let China steal intellectual property but were too afraid to report it to the western authorities because they did not want to lose the Chinese market.

3.) The world runs on vulnerable software and will continue to. If I’m a business owner and I have a Windows XP machine that is hooked up to my network with appropriate safety guards in place and this XP machine interfaces with a machine that is helping my bottom line, I really don’t care if it’s necessarily within compliance/regulations.  As a matter of fact, a lab I worked at had a blood platelet counting machine that is FDA approved, this machine still runs Windows XP.

4.) Regardless of what makes sense in the security realm, management can override controls. Try telling a CEO/founder that they need to have MFA on when they’re of an older generation and computers are just an annoyance and necessary evil for their business. Again, this person has likely taken big risks to get to where they are and make the business flourish. Additionally, auditors to this person are an annoyance and a barrier to how they want their business to operate.

5.) Rooky mistakes can lead to catastrophic failures. Recently, I was tasked with performing upgrades on a server farm and due to work, which was done on this server some years back, a loose screw was left in the chassis. The screw arced the motherboard and brought down huge sections of the network and security controls. Let us not forget what happened to MGM. Regardless of what level you’re at in IT/Infosec, having solid fundamentals is key.

6.) Documentation is almost as important if not at times more important than the work performed. We all know there’s google and ways of searching the web, however, the web can lead you down roads that are not accurate or only provide partial answers. In addition, documentation can be removed by the entities who desire this and this includes archive.org.  A robust documentation system that is up to date is key to any successful IT operation. Projects and complex issues should have well documented and reviewed processes that can be easily searched. I’m personally not a fan of documentation being stored on samba shares and prefer a solution maybe more similar to: https://itflow.org/

(This is also a good read/worthwhile mention: https://xwiki.com/en/Blog/open-source-alternatives-to-Confluence/)

7.) Skip the salesperson, reach out to an engineer. This might not necessarily be a given but anyone who doesn’t have to support a product or solution and is just peddling it, will try to sell you the moon. Contact the support engineers and see how that goes. Pick their brains and play the role of someone who may need more advanced help with the product or solution. Sales engineers could be a potential answer but to me, “sales” means we have a product or service to sell.

8.) Advanced threats or state actors will always find a way in. There’s this idea of absolute and perfect security that people may strive toward. We all appreciate their efforts but as long as there are entities with deep pockets and nearly limitless resources, they will find a way to compromise their targets. Your ransomware protection scheme has its gaps and a state actor will find flaws. Accept this reality.

9.) Your anti-ransomware backup solution isn’t bullet proof. As long as you need to perform space management on your backup solution, some sort of flag or parameter could be potentially exploited to encrypt your backups. I personally think off-line backups are a great means of deterring ransomware but again, they’re not bullet proof.

#Update 3/9/2024

10.) The software you use that relies on libraries or code from multiple sources is a huge risk. Software supply chain attacks should be a huge concern and not overlooked. Controlling the source of where you get your software from and how its verified is crucial. Hashing and using mock environments to test and monitor software might be a great means of mitigating this risk.

11.) Geofencing is a great tool but attackers adapt and errors can cause denial of service conditions. Pertaining to errors, see this reddit post regarding maxmind that I personally experienced: https://maglit.me/unngenedismist

12.) Saying, “I don’t know” is ok. If you don’t know something.. say it and don’t start speculating if you truly don’t know.

#Update 3/26/2024

13.) Air gapped security only works so long in isolation. An offline MS-DOS system that does a limited range of functions can be a victim to the sands of time. For instance, a key that this system produces may work for the intended applications of a time period or range but technology changes.

14.) All technology that is connected with some sorts of means to the internet is spyware. A device that is built with the best intentions of privacy and security, once connected to the internet is a means of exposing an almost infinite attack surface. For example, your 100% trusted device could connect to a bank and while your device is 100% secure by itself, you provide information to a compromised entity.

Deepfake technology can be used for malicious purposes. One notable example is when malicious actors used deepfake voice technology to swindle a CEO out of $243,000.

Imprimis, if you are not familiar with the concept of social engineering, take a look at:

https://en.wikipedia.org/wiki/Social_engineering_(security)

If you are looking for a good book on this topic, then I would highly suggest buying a copy of:

http://www.amazon.com/Social-Engineering-Art-Human-Hacking/dp/0470639539/ref=sr_1_1?ie=UTF8&qid=1327118815&sr=8-1

As for software implementations that you can use to leverage social engineering attacks on targets, David Kennedy‘s Social Engineering Toolkit (SET) is probably one of the best, if not only social engineering frameworks that I know of. SET does not really rely on vulnerable services which I believe is one of the most useful aspects of this toolkit. What you do have to rely on is social engineering. Services and software will be patched while humans will most likely always be vulnerable to social engineering attacks due to misplaced trust.

Despite the fact that this framework is practically the only of its kind, it does have some limitations in certain realms, namely the web site cloning feature. The issue I have ran into with SET is due to the user agent string not being easily switchable. To switch the user agent string for SET, you must manually edit the cloner.py (which is located in/src/webattack/web_clone/ directory) .

The default user agent of SET is:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

This means that when the Social Engineering toolkit makes a request on a website and clones it, the response of the web service is based on this user agent string.

What if I want to clone a website that is the mobile version? What if I want to clone a website that checks to see if end users are Microsoft Windows users? This is where the Social Engineering Toolkit User Agent Switcher(setuas.sh) is applicable. This is a very simple Bash shell program that edits the user agent string in the cloner.py module of SET to whatever you like. Simply execute this:

./setuas.sh /pentest/exploits/set/src/webattack/web_clone/cloner.py

You will then be prompted to enter in a user agent string which for instance could be:

Mozilla/5.0 (Linux; U; Android 2.3; en-us) AppleWebKit/999+ (KHTML, like Gecko) Safari/999.9

For the moment this is just a quick hack to address the issue. I believe that the SET team should add an option in the config file (/set/config/set_config) for end users to adjust accordingly.

setuas.sh is located here:

http://zitstif.no-ip.org/set/setuas.sh

If you want to just see the plain text version of this file, it is located at:

http://zitstif.no-ip.org/set/setuas.txt