My notes from RSA 2018 sessions and labs. I've sanded off the rough-edges from my raw notes. Might still be a bit 'bumpy'
When the opportunity to attend RSA came up, I decided to take a chance to see how it compares to other security conferences I've attended in the past (like DEF CON, BlackHat and BSides). After attending the 5 days of the conference I can say that RSA definitely has a different 'feel' to it than the other conferences and depending on what you are trying to accomplish, it may or may not be a good value for the $$$ spent.
We ran into an interesting situation on a legacy system where we were unable to allow outbound traffic on a CentOS 6 server to the internet, yet we needed to install Python 3.4 and the 'requests' library on the server.
OpenVAS is an open source vulnerability scanner that I have used (and seen used) over the last few years. It's history goes back to 2005 as a fork of a previously open source (now commercialized) vulnerability scanner. This tool tends to be used when the dollar-cost of a commercial solution appears to outweigh the time and effort needed to maintain an effective OpenVAS installation.
The most common problem that I encounter using OpenVAS is the 503: service temporarily down error. When I see this message it almost invariably ties back to an expired self-signed certificate. I've seen this error enough times that I want to document the process in case I end up using this tool again in the future.
Awhile ago at a previous employer I worked with a VAR to do a system and software inventory of our workstations. They had written a custom application in C#.NET (for windows systems) and a bash script (for Mac OS) that captured the inventory data and encrypted it for us to email back to them. Sounds pretty straight forward, right?
I asked them about how the data would be protected on collection and being transmitted to them and surprisingly heard back from the VAR that their encryption mechanism 'cannot be disclosed publicly'. Hmm.... Before agreeing to run the programs and send back results, I performed a secure code review and found some interesting things about their collection tools.
This morning I tried to run security updates on one of my Centos VPS systems. Had to get creative since just running yum upgrade did not work. The yum process was killed unexpectedly:
Transaction Summary ========================== Upgrade 19 Package(s) Total size: 24 M Is this ok [y/N]: y Downloading Packages: Running rpm_check_debug Killed
A month or so ago I started an SSH Statistics gatherer with the hope of identifying high-level configuration details of SSH-2/SSH-1.99 servers in the USA. In running the tool for a couple of weeks I identified 46,250 SSH Servers that meet the basic criteria (I'd like to do a survey of SSH Servers running older versions in the 1.x range at a later date). This post explains the results of the survey.
Today I spent way too much time trying to debug an issue encountered while developing a Chrome extension. While attempting to create an Options page, I setup a separate 'options.js' file (to comply with security requirements that don't permit inline-JS) and found that the .js file would not load and that there were no error messages listed in the chrome developer tools view.
An interesting problem surfaced earlier this year that prevented our systems administrators from using RDP to connect to a windows server if they use a windows laptop. Paradoxically, SysAdmins who run Macs were not affected. It took a little time to track this down and now that I've been through the troubleshooting process I know how to fix it and can see how we wound up in this situation in the first place
We switched from LastPass to 1Password and encountered an unexpected hindrance: HTML encoded strings somehow replaced certain characters in critical passwords. The first time through the process it seemed like 1Password was was causing the problem. Upon further investigation we found that the problem originated during the LastPass 'export' process.
I will be starting an SSH Statistics gatherer that will be targeting US based IP addresses today. The gatherer tool will run for 1 week through Sunday, January 22, 2017. During this time you may notice SSH-2.0-ssh-stats-gather-2017_1.0.0 appear in your SSH server logs. This tool performs a banner grab of SSH servers and does not attempt to login (performs a partial connect)
I will update this post once the run completes with more details.
Update 2017-01-29: Things picked up pretty fast and I was able to pick up quite a bit of data. The stats gathering tool has been turned off and I am parsing the results. Expect a post about the details at some point in the next few weeks.
Update 2017-01-22: Technical issues have come up which require that I extend the duration of this project for another couple of weeks. The new target completion date is Sunday, February 5th, 2017
Update 2017-02-21: Results were published here
This week I needed to compile PuTTY to work on an Ubuntu system running 16.04 (LTS). The instructions are pretty straight-forward and will take you most of the way through compiling something you can use. A problem I ran into is that I kept on running into errors during compilation referencing dlsym, dlopen and dlclose.
Fate was on my side as I was able to work my way through the problem (with a generous dose of google) and comple that actually works.
For the last few months we have been experiencing intermittent issues with one of our production processes. The issue is one that has confounded us in its lack of consistency and ability to frustrate anyone assigned to troubleshoot the problem. I was asked to look into the situation and in the end was able to discover the root cause in just a few hours using Telerik JustDecompile coupled with Microsoft's SQL Profiler tool. The journey was exciting and I'll share what I can here.
While cleaning up some old files I found a project that compares file manifests between MSIs. At the time we needed the ability to quickly determine if the files contained in a set of new MSIs contained at least the same set of files that was generated using a previous build process. While there are other tools that can compare MSIs, this code is lightweight and command-line scriptable.
I needed to setup a quick dashboard a couple months back so I turned to Dashing.io. Everything worked great, then one day none of the dashboard widgets displayed any data. Given the nature of the dashboard and its users this was incredibly annoying.
The symptoms of this problem (which I can only replicate on Centos) are:
- Dashboard widgets appear in the right order/layout when you load the page
- Widgets do not contain any data until you Ctrl-C or kill the dashing process
When I first setup boredwookie.net Concrete5 was used to power the site. In the years since then I've grown tired of using a heavyweight CMS to post a few pages. Last month I made the switch over to Jekyll and the transition was anything but painless. It was incredibly difficult and required a lot of manual effort and fine-tuning to get right. Along the way I created a ruby script to take some of the busy work out of doing a bulk migration.
The script takes xml files generated by the Concrete5 Legacy Migration Tool and creates jekyll-style posts with YAML front matter that can be massaged into a working site. While there are gaps in what I could script-out it was a useful tool in the migration effort.
I've been looking for a development platform that can let me create programs which work across all major operating systems. While there is nothing wrong with scripts and scripting languages, sometimes a GUI just makes sense. In the past I've used WinForms in C# to create utilities with functional user interfaces, but now that I'm looking to switch to Linux full-time I'd like something which is about as easy to use that can target at least Linux and Windows.
Qt appears to check all the boxes I need, so barring development of a WinForms-like option for .NET Core or other changes in the landscape I'll press on.
Within the next year or so I would like to be using Linux as my full-time desktop. To get there I need to find a development platform that lets me create small, stand-alone, cross-platform GUI tools. While scripts are great, sometimes things can be a lot easier with a GUI.
As part of my continued migration to Android from BlackBerry OS 10 (and to try and pick a framework for cross-platform application development), I created a tool in both Electron as well as Qt variants to read and extract notes from the old Notepad application I used to use on BB 10 devices (Noted - Written by a friend of mine). While the user interface for this tool is not very sophisticated (especially the Electron version), it gets the job done.
While attempting to use electron to write a cross-platform utility, I ran into an unexpected problem: The application would error out with a few weird messages like these:
- App threw an error during load
Error: Cannot find module 'app'
at Module._resolveFilename (module.js:455:15)
- App threw an error when running [TypeError: Cannot read property 'on' of undefined]
TypeError: Cannot read property 'on' of undefined
This week marks a bittersweet end to my use of BlackBerry smartphones: I retired my BB Priv. BlackBerry no longer makes a device that I can advocate for or recommend. Part of my migration to a new device involves exporting an old device-local calendar that I have been carrying around since BB OS 7. The export went well (plenty of utilities on the app store will let you export a calendar) and I was left with a 16,000 line ICS file that I wanted to migrate.
The problem I ran into is that NextCloud hangs when it tries to process such a large calendar file and does not give any indication about the trouble it has (The web UI would hang with the words Import Scheduled).
I've been experimenting with OpenVAS for a few months now in my home lab. While the tool can be a bit fiddly at times it has found legitimate issues that would have been difficult for me to identify manually.
One interesting thing to note is that when OpenVAS scans itself (at least for installs that I've performed) is that it defaults to allowing certain weak ciphers. There is general guidance on how to lock-down the ciphers to a more secure configuration - it just requires some massaging if you run OpenVAS as a service which starts on boot.
I used to be a big BlackBerry fan and have used the company's devices for about 5 years. While BB10 was awesome, The BB Priv and it's android implementation were lacking. I recently migrated to a new Android device and faced a dilemma: what do I do with the over 600 passwords that have accumulated in the BB standard 'Password Keeper' tool?
To address this password migration situation I created the BB to KeePass Converter. This tool converts CSV exports from the BlackBerry Password Keeper tool and processes what it can (there are limitations) to save someone the hassle of re-entering all their passwords
A few years ago I needed a quick way to check if regular expressions would work in a Bash Shell, so I setup regexraptor.net. Over time I stopped using the site as the platforms I needed to automate were not super bash-heavy, yet the site carried on.
Fast Forward 4 years: Online Bash Regex Checker is one of the top searched for posts on Bored Wookie. The site is pretty bare-bones, but if you need to check a regular expression to see if it will work in a modern bash shell, why not take a look?
I recently had the opportunity to interact with the LogRhythm SOAP API. LogRhythm is a SIEM/IDS solution that has components which run on both Windows and Linux. They provide an HTTP/SOAP interface which allows for interacting with the system via well-defined API calls. This API runs in Windows/IIS.
My goal was to use ruby to interact with this API as part of a security data aggregation script I needed to execute. This article describes a couple things which helped me on my way to success.