The Truth about Social Media Content Delivery Networks

With the rise of social media, a crossed the entire globe, companies needed a way to speed up load times for large files such as photos, videos, and software downloads. The following description comes from Wikipedia on Content Delivery Networks:

content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially relative to end users. CDNs came into existence in the late 1990s as a means for alleviating the performance bottlenecks of the Internet,[1][2] even as the Internet was starting to become a mission-critical medium for people and enterprises. Since then, CDNs have grown to serve a large portion of the Internet content today, including web objects (text, graphics and scripts), downloadable objects (media files, software, documents), applications (e-commerceportals), live streaming media, on-demand streaming media, and social media sites.[3]

CDNs are a layer in the internet ecosystem. Content owners such as media companies and e-commerce vendors pay CDN operators to deliver their content to their end users. In turn, a CDN pays Internet service providers (ISPs), carriers, and network operators for hosting its servers in their data centers.

CDN is an umbrella term spanning different types of content delivery services: video streaming, software downloads, web and mobile content acceleration, licensed/managed CDN, transparent caching, and services to measure CDN performance, load balancing, Multi CDN switching and analytics and cloud intelligence. CDN vendors may cross over into other industries like security, with DDoS protection and web application firewalls (WAF), and WAN optimization.

Continue reading The Truth about Social Media Content Delivery Networks

Open-Source SOAR Solution : Part 1

With a industry that is tool/software centric we can lose sight on the true solution within Cyber Security. Many companies will buy a specific product to be the “silver bullet” to all their Cyber Security needs, but unfortunately that product will never truly exist. If we as an industry truly want to succeed in this game of Cat and Mouse we must go back to the basics and create “solutions” that are vendor agnostic. Many frame-works have been created to help us get their, but many of them depend on extensive knowledge and resources (People) to make them succeed.

Security Operations Automation and Response

SOAR (Security Operations Automation and Response) is a solution to be that “magic bullet”, at least according to the main vendors in this space (Splunk>Phantom, Swimlane, and Demisto>Cortex). The problem with traditional SOAR platforms is normally you get “locked” into that specific platform. You may spend hundreds of hours creating your “playbooks” to increase your automation needs, unfortunately if you ever decide to leave that specific vendor chances are you will have to re-create those playbooks. What we are doing at Sorsnce Enterprise Labs is trying to create a vendor agnostic solution to help fill this gap.

Continue reading Open-Source SOAR Solution : Part 1

Open-Source SSL Cert Management

As a Application Security Engineer/Security Researcher, I spend a lot of time tinkering within my home lab. Unfortunately, my home lab has become more than just a habit….. an obsession maybe? However, you can check out some incredible home lab setups by checking out this subreddit r/homelab. I recently posted my current server rack setup, you can find that post here.

Regardless of spending money and time tinkering within my home lab, I have never had a chance to setup a proper SSL Cert management system. I was always reminded with the self-signed certificate error messages from Firefox or Chrome.

So I decided lets go ahead and create a super simple opensource cert management system with OpenSSL.

Continue reading Open-Source SSL Cert Management

Announcing CVE-2018-12076

I am announcing a vulnerability that I found in he UPC bar code of the Avanti Markets MarketCard could allow an unauthenticated, local attacker to access funds within the customer’s MarketCard balance, and also could lead to Customer Information Disclosure.

The data (as submitted to Mitre) is below:

Vulnerability Announcement

Suggested description

vulnerability in the UPC bar code of the Avanti Markets MarketCard could  allow an unauthenticated, local attacker to access funds within the  customer’s MarketCard balance, and also could lead to Customer Information Disclosure. The vulnerability is due to lack of proper validation of the UPC bar code present on the MarketCard. An attacker could exploit this vulnerability by generating a copy of a customer’s bar code. An exploit could allow the attacker to access all funds located within the MarketCard or allow unauthenticated disclosure of information.

Continue reading Announcing CVE-2018-12076

PowerShell Anti-Virus with VirusTotal API

tl;dr We use PowerShell to continuously monitor any executed .exe files then get the file locations and pass it to the VirusTotal API to get a virus report. We use an “if else” statement to make a decision to alert our “Security Team” and to remove that file from Windows. The advantage of using this script allows the user to check with the vast amount of data in the VirusTotal database in an automated fashion. Make sure you change the variables in the Readme for PowerAV.ps1.

PowerAV is a PowerShell script designed to monitor your system processes and sends hash data to the VirusTotal cloud for analysis. This information can be very valuable/robust for your SOC (Security Operation Center), the idea would be to convert this PowerShell script to a thin client to run as a background process to monitor processes once they are triggered. This script would trip an email alert once malware was executed, see below for a screenshot of what a typical alert might look like.

Email sent from PowerAV

Continue reading PowerShell Anti-Virus with VirusTotal API

Five Things to Know about Cryptomining

Does it feel like your computer is running (or rather, crawling) slowly? You may be a victim of cryptomining—cyber criminals’ latest tool du jour. A couple of weeks ago, Reuters reported that thousands of websites, including ones run by U.S. and UK government agencies, were infected with cryptomining code. As we covered recently, many enterprising hackers also use this attack method to take advantage of the surge in online viewing activity around high-profile events such as the 2018 Winter Olympics.

Cryptomining may be the latest cyber attack rising, but what is it, exactly? According to MIT Technology Review, “Mining is a computationally intensive process that computers comprising a cryptocurrency network complete to verify the transaction record, called the blockchain, and receive digital coins in return.” In other words, “miners” work to solve complex mathematical problems in order to generate income in the form of digital currency, such as Bitcoin, Ethereum, Monero and others. This mining process requires serious hardware and significant CPU resources to “create” cryptocurrency.

To put this in perspective, a representative from Hitaveita Sudurnesja, an energy company in Iceland, said he expected “Iceland’s virtual currency mining to double its energy consumption to about 100 megawatts this year.” This is significantly more than what is used by the country’s entire population of 340,000. Continue reading Five Things to Know about Cryptomining

What Does It Really Take To Track A Million Cell Phones?

Let us clarify right away, we are not talking about how to track your own cell phone in case it’s lost or stolen. We are talking about tracking everyone that lives, breathes and wears a cell phone.

This is actually incredibly easy and we think that people should be aware of that.

If a representative of a phone service provider with 10 million customers came into my office and asked this question “What would it take to track every move of our 10 million customers?”. My answer would be “An intern and 6 months“. Then we’d insist the intern will need a desk, a computer, basic programming and algebra skills. That’s all it takes.

Imagine for a minute that you are the intern in question. Congratulations and welcome to our company! Your internship begins now, this document will introduce you to everything you need to know.

We’ll go over the basics of cellular networks, geolocation principles, technologies readily available in every cell phone and how to leverage all of that into a truly real-time planet-scale mass surveillance system.

Spoiler Alert: If you are scared of 1984 like scenarios, you may want to stop reading this and bounce to a video with Darth Vader playing the accordion.

Continue reading What Does It Really Take To Track A Million Cell Phones?

Using Windows FSRM to build a Killswitch for Ransomware

Despite the number of $ in this image, this solution costs zero $.

When I sit across the table from CISOs and ask, “has your organization been affected by ransomware recently?” the answer is almost always “of course!” However, when asked on how they are handling it, they are typically looking to me for an answer. While I believe that training the human and having in-line security appliances are certainly important, I wanted to share a solution that uses resources already built into Windows. This solution utilizes PowerShell and Windows File Services Resource Manager to automatically lock out a user account when ransomware activities are detected.

Installing FSRM
First and foremost, you will need to set up FSRM on your file servers. This feature is part of the File Services Role and can be installed with the following PowerShell command (all one line).

Install-WindowsFeature –Name FS-Resource-Manager 
–IncludeManagementTools

Take note, FSRM is only available on Windows Server. If you’re interested in workstation mitigation, comment below and I’ll get to writing!

Continue reading Using Windows FSRM to build a Killswitch for Ransomware

Remote console access and Remote reboot any modem

I have been in the IT Security field for about 5 years now, and starting with desktop support and administration we always needed a way to have console access to our Cisco equipment just in case the internet went down or there was a configuration issue with our equipment. With this solution it does just that, grants physical access to remote users. Required equipment to set up console access and remote reboot.

 

Raspberry Pi – https://www.amazon.com/Raspberry-Pi-RASP-PI-3-Model-Motherboard/dp/B01CD5VC92/ref=sr_1_sc_1?ie=UTF8&qid=1467990411&sr=8-1-spell&keywords=rapbery+pi

IoT Relay – https://www.amazon.com/Iot-Relay-Enclosed-High-power-Raspberry/dp/B00WV7GMA2/ref=sr_1_1?ie=UTF8&qid=1467990377&sr=8-1&keywords=IoT+relay

USB to 2-pin power cable – had to make this cable

USB to Console cable – https://www.amazon.com/CISCO-Console-Cable-Replaces-72-3383-01/dp/B00I8CT8YG/ref=sr_1_5?ie=UTF8&qid=1467991193&sr=8-5&keywords=USB+to+Console+cable

CradlePoint with 2 nic cards – https://www.amazon.com/Cradlepoint-Cellular-Broadband-multi-band-integrated/dp/B00X8D879C/ref=sr_1_10?ie=UTF8&qid=1467991271&sr=8-10&keywords=CradlePoint

Ethernet cable – https://www.amazon.com/Monoprice-2-Feet-Ethernet-Network-103419/dp/B002RBECAE/ref=sr_1_1?ie=UTF8&qid=1467991380&sr=8-1&keywords=2ft+ethernet+cable

 

To setup console access you must have a CradlePoint activated with a valid SIM card. Plug your Raspberry Pi into port 2 on the CradlePoint (port 1 is set to NAT by default) this will give you a public IP address. You should be able to SSH into your Raspberry Pi at this time, log into the pi and install picocom:

 

pi@raspberry:~ $ sudo apt-get install picocom

 

Now plug your serial cable into the raspberry pi. Change directories to the /dev and run the following command.

 

pi@raspberry:/dev $ sudo picocom ttyUSB0

 

Now you should have console access to your Cisco equipment.