Tuesday, August 12, 2014

Biggest Collection of Stolen Login Credentials

A Russian crime ring has amassed a gargantuan database of pilfered login credentials, including 1.2 billion unique username-password combinations and 542 million email addresses, Hold Security of Milwaukee said today. This makes it the largest known collection of stolen credentials to date.
According to Hold Security, the attackers used a botnet to hunt for sites vulnerable to SQL injection hacks. They compromised roughly 420,000 websites and lifted 4.5 billion username-password combinations in all; after eliminating duplicates, the number drops down to a no-less-impressive 1.2 billion unique login combos. Hold Security has not released the names of the victim sites.
What's puzzling is that the criminals have not put this goliath database to great use so far. They are not selling the records. They're merely using them to operate a spammer-for-hire service. Nevertheless, the incident underlines the persistent troubles of lax website security, inadequate monitoring, and single-factor authentication.
"At this stage of the game, using passwords for security is simply table stakes," David Rockvam, vice president of product management and marketing communications for Entrust, told us. "In order to truly protect our personal and financial information, second-factor authentication is a necessity."
Some companies "are not being proactive enough about security; therefore, they are ill equipped to detect these types of breaches," said Jay Kaplan, CEO of Synack. "In fact, it's likely that most of them do not even realize how many times they've been compromised, as it's very challenging to track compromises when you do not have a continuous security cycle to test against and prevent these types of attacks."
"Today, we have learned of a huge issue where it seems like billion passwords were stolen overnight," said John Prisco, CEO of Triumfant, "but in reality... crime rings have been stealing information for years. They've just been doing it undetected, because there hasn't been a concerted effort on the part of companies entrusted with this information to protect it. Vendors haven't delivered a truly defensive product until recently. For so many years, we've relied on antivirus, which just doesn"t work. Vendors are in a transition period where the most effective products are not yet widely deployed."
Hold Security's researchers do not believe the attackers are politically motivated or have any connection with the Russian government. Russian entities were among the websites compromised.
(Source: DarkReading)

Friday, August 8, 2014

My Experience with the GIAC GSEC Exam

What do you do when you decide to take an IT certification exam? What path are you going to head down first? How long should this endeavor take? What books or video prep classes should you invest in? All these questions go through our minds when we take that first step into the realm of certification. Since everyone learns differently, there is no silver bullet when it comes to taking exams. Anyone who has gone through any sort of exam experience, whether it be a mid-term, SAT, or IT certifications, should by now really understand how they learn the best. What I’m going to give you is my experience and what I did to prepare for the GSEC exam.
Collecting certs is to become
a Pokemon Master!

I am the Ultimate Pokemon Collector

My first step was really to decide whether or not the GSEC exam would benefit me in the long run. It may sound silly to even ask this question. But in the world of IT certifications, you must really take into consideration the return on investment. A friend of mine, Ike, and I joked around with the notion of certifications becoming like the characters from Pokemon, “gotta collect them all.” There are so many out there and trying to do this to become the ultimate Pokemon collector is just not feasible, nor financially responsible (even if someone else is paying). I decided that the GSEC exam would be a good ROI for me as I am retooling my skillset from a help desk/system admin role to a security centric role. I have always been interested in aspects of security, but it never really fit into my job description. I figured I should change the job description and this would be a great place to start.

The Doctor Will See You Now

After deciding I’d like to attempt the exam, I researched what the exam is all about. People said it was a good supplement to the CompTIA Security+ exam, which I got when going through Western Governors University. If you are reading this, you may have also read that attending the SANS Security Essentials 401 class is a must. While this is not technically true, you can do a challenge attempt, it is highly recommended. I attended a SANS event in Austin, TX. I chose this one specifically for the fact that the man, myth, and legend, Dr. Eric Cole would be teaching the SEC401 class. Dr. Cole is the creator of the course and definitely knows his stuff. Unfortunately Dr. Cole would not be joining us the length of the class as he was inducted into the Infosecurity Europe Hall of Fame. He did, however, make the flight back from Europe to finish out the class. This dude is dedicated to everything he does. While he was away fighting fatigue by drinking frightening amounts of RedBull, Keith Palmgren took the reins and guided the class through the SIX BOOKS we received on the first day.

A gallon a day, keeps fatigue at bay.
Yes, for one week, we went through a book a day. I was mentally exhausted by day four. This is where I have to thank my personal sponsors, caffeine and sugar. Those two guys got me through the last couple days. But I digress. You need mental stamina to continue to write down notes and glean gems of information the instructor gives you. The books are excellent material, but the real world stories you are told not only reinforce the book material, but gives ideas on what could be implemented at your current job. This is where the SANS events shine. I was able to bundle the OnDemand and get the self-study MP3s. The advice here is the same: Take as many notes as you can. The OnDemand option has a nice feature of small quizzes at the end of each section to reinforce what you learned. If you are doing purely OnDemand, do NOT skip out on lecture and go straight to the quizzes. You WILL miss material and won’t get all the information you need.

So you have gone through a SANS event in person or via vLive, did OnDemand training, or did the self-study option. What now? Read the books. You might not think you’d need to read every word after listening to or watching lectures, but this would really put a hurt on your final outcome. You will find details you missed, but that’s ok you’re going to find those details. You are now in the midst of the longest part of the process. Making the Index.

On Indexing and Losing Your Social Life

You may ask, why in the world do I need an index? Well, the GIAC GSEC exam is open book. Remember back to the first day you took your SANS course? You received a big heavy bag of books that gives a wide range of information ranging from physical security to annual loss expectancy. Each of those books are heavy in information, but unfortunately light on either a table of contents or an index. If you are like the 99% of us who can’t recall what is on page 132 of book 3 in seconds, take a deep breath and realize your social life is on hold until you fix that void in your study plans by making The Index. Just like me, you will find any and every excuse to want to stop making the index. Persevere and you will be rewarded. I promise.

People on forums will tell you that an index that is greater than 50 pages is too much and you learned too little. Others, like me, will tell you that your index needs to be as long as your index needs to be. My initial index is 74 pages long. After taking a practice test, I know I need to add more details (more on this later). Basically what I did was go page by page creating an index of term, book, page number, and detail using an Excel spreadsheet. The following is a rough sample of what I created:

Page #
Location of Hosts file in Windows
Location of hosts file in Linux
Individual permissions in the DACL.

I had my index spiral bound for added geek cred.

The index needs to be detailed. The information cells I’ve included here do not match exactly what I have in my index since I don’t want to deal with copyright issues with SANS. But the more information you put here is less time you’ll flip through your book, skim the paragraph, and find your answer if you’ve forgotten some fact or just want to double check your answer. List a term, put in the book number, page number, and the definition word for word in the detail/info section. This is time consuming but will pay off come test time. Another bit of advice here is to not make your entries too long. Break up your entries into smaller portions. For example, I have three rows for HIDS alone, then one row each for HIDS – Advantages, HIDS – Challenges, and HIDS – Developments.

Commands were color coded
depending on OS.
Another tip you may want to incorporate is to have a separate section in your index for just commands, tools, and misc/bonus material. My index includes five sections: The SANS SEC401 Books 1-6, Commands Index, Tools Index, Bonus Material, and Glossary of Terms/Acronyms. I chose to include the glossary even though it is in the back of book six for the fact that I do not want to be flipping books too much during the test. Each of these sections are divided off with labeled tabs for easy acquisition. The commands and tools are in the same format as the book index; four columns, term, book, page, and info. The bonus materials include the SANS TCP/IP and tcpdump reference guide, two styles of subnetting charts, and an IPv6 reference guide. Update: The price for having this index spiral bound at a professional store made me rethink the glossary. That section has been replaced with the Bonus Material section being broken down into subnetting reference and the tcpdump guide.

Indexed and Ready… Right?

Hold on there cowboy (or girl). The index is finally complete. Take a day or two to recompose yourself. In other words, bathe. Before you go off to your testing facility, remember that SANS gives you two practice exams to try out before you attempt the actual exam. Some of the SANS instructors tell you to take one of those practice exams soon after the class or self-study is finished. I knew before attending the SANS event in Austin, I wanted to use my first practice exam to refine my index, so I did not take this advice. I don’t really think this would hurt me in any way. But I don’t have any numbers of my own to back up this claim. I took the first practice exam to see how my rough draft version of my index would help me out. I got my results back and at 80% I got my answer as to how to proceed with the index. Two things were clear from this result: 1) Read the question and understand what it is asking. I had multiple questions where it asked for the false statement where I picked the true statement instead (I probably missed 6-8% because of this). 2) There were a few tools and commands out of place in the index and some terms I need to keep my eye out for during my second read through the books.

I will be taking my exam in a few weeks and will let you know how everything goes. Until then, it will be many sleepless nights. Updates will follow once this journey is complete.

Thursday, August 7, 2014

Raspberry Pi Powered by the Sun!

In The Beginning…

Ever since the Raspberry Pi came out, I was entranced by the coolness factor of having a small pocket sized computer that cost just north of thirty bucks. Hats off to those devoted for making this project a reality and launching it to the world. The only problem for me at the time of Pi launch, was the fact that I lived in a Windows world, and to an extent, still am. I had no rad Linux skills. No formal or informal training. I got my hands on an installation disc of Mandrake way back in the day when I did call center tech support. The only way to get that geek cred in that place was to show you knew your stuff. I took that disc, spun it up in my 32x CD-ROM drive, wiped my Windows partition (you know, cause this open source stuff comes at a college student budget), and stepped through the install. After it was all said and done, Windows was back as soon as it had gone. FAIL. I had similar experiences with Red Hat and Ubuntu, but I did manage to get wireless working on the former, but it was too much of a pain to deal with when it was so easy to make it all work in Windows.

Flash forward to today. I’m still in my Windows world due to the place I work, but much more comfortable with Linux and even got my LPIC-1 certification. I’ve had my Raspberry Pi which was used to study for the aforementioned cert and has since been sitting in a lonely dark drawer next to a twice used wicked looking webcam I got from WGU. This dark and dreary future was not what I had envisioned for the poor Pi. There are so many cool projects out there and one that caught my eye was from a guy who had a web server running off a Raspberry Pi that was powered by the sun and 4AA rechargeable batteries. How cool does that sound?! I put this on my list of things I must do. After about a year or so I finally decided to shed some light on this project (did you see what did there?).

Let’s Get To Work

To kick this thing off, I went back to that old project page and got some information on power consumption of the Pi. Knowing I’m going to run this headless, that would save on the load drawing from the battery if I had attached some sort of touch screen. I tried to figure out the math behind how long it would run on a full charge before shutting down and going to bed which lead me to ask, what battery pack should I use? The original idea had AA batteries which fit the project scope, but I wandered over to my favorite maker’s page, adafruit.com. Searching the shop, I was happily greeted with my power answer and a plethora of parts and/or kits for everything Raspberry Pi. The parts I finally opted for are as follows:

·         Medium Solar Panel (6V, 2W) https://www.adafruit.com/products/200
·         USB / DC / Solar Lithium Ion/Polymer charger https://www.adafruit.com/products/390
·         Lithium Ion Battery Pack - 3.7V 4400mAh https://www.adafruit.com/products/354
·         Male DC Power adapter - 2.1mm plug to screw terminal block https://www.adafruit.com/products/369
·         PowerBoost 500 Basic - 5V USB Boost @ 500mA from 1.8V+ https://www.adafruit.com/products/1903
·         2 x JST 2-pin cable http://www.adafruit.com/products/261
·         Large Plastic Project Enclosure - Weatherproof with Clear Top http://www.adafruit.com/products/905
·         Waterproof Metal On/Off Switch with Red LED Ring http://www.adafruit.com/products/916

PowerBoost 500 Basic with USB
connector soldered on.
When the box showed up safe and sound, I was set. The USB Solar charger had to have the included capacitor soldered on to the PCB, the PowerBoost also needed the USB A jack to be soldered on. This was pretty easy and really one of my first soldering attempts at putting components onto a PCB (The only other things I’ve soldered were Deans connectors onto batteries).
USB/DC/Solar LiIon/LiPo charger
with capacitor soldered on.

Next, the battery had to have the JST cable soldered on. I left them long just in case I needed the extra length when fitting this all inside the enclosure. The last soldering to be done was to solder the two remaining JST cables together for the link between the charger and the PowerBoost. I did not show the soldering steps because if I can do it, you can too. Believe me. Finally the solar panel came with a plug that would not fit the USB charger. Easy fix was to nip the tip and add the 2.1mm plug.

That’s Great, But Does It Work?

Testing the PowerBoost 500 with the battery.
When a coding project gets near completion, I start looking at the components and wondering “how did I break this part?” The same holds true for this one. The PowerBoost and the charger, where I had to actually solder components to the PCB, were my biggest concern. Batteries I’ve done, but this seemed to be a more delicate operation. This is the point where I start testing the theoretically completed parts. So I plugged the battery into the PowerBoost and was delighted to see the green power LED light up. Does it power on the Pi? After plugging in the USB cable to both the PowerBoost and the Pi, the little pocket computer powered on. Success!

Ok, so that’s one part down. What about the solar panel and charger? Taking the solar panel, battery, and charger outside, I connected it all together. Again the LEDs that indicate charging came to life! Success x 2! It may seem pretty basic to a lot of you out there, but it’s small things like this that amaze me. Also, keep in mind I am the son of someone who has taken electrical engineering classes, yet still stuck his finger in a light socket to see if the power was still on.

Putting it all together with all components working should yield a working solar powered Raspberry Pi, right? I’m usually cynical when it comes to situations like these and usually expect the worst, so I won’t be disappointed when that outcomes happens. But today, things just clicked. Moments like this put a big smile on my face. The Cynicism Demon was slayed. Now to the next part of this project. Getting the Pi to run headless.

Prep the Pi

Since I used this Raspberry Pi to use as study for the LPIC-1 exam, a lot of the work was already done. But that was so long ago and it needed an update. More requirements popped up such as static IP address on the wlan0 interface and remote desktop. I also ran into the problem of having forgotten my user pi password since it was setup so long ago and so quickly neglected, thrown into a locked drawer, and forgotten about. But times change, things are brought out back into the light. Used for new purposes. First thing’s first, get wireless working.

For the wifi adapter, I had a very tiny Wi-Fi USB adapter from Edimax (EW-7811Un) being used in a security lab I setup earlier this year. When I got this adapter, I envisioned using it for the Pi, so the lab will suffer a little bit but these are so cheap on Amazon, I’ll be grabbing another soon. Setting up Wi-Fi was a little more difficult since I didn’t have a mouse to click on things (one USB for the Edimax and the other for a keyboard).

These are the steps I took to get Wi-Fi working on my network:
1)      Plug in the Edimax
2)      Power on the Raspberry Pi
3)      Ctrl+Esc and run wpa-gui.
4)      Tab through to the Manage Networks tab and fill in the blanks for SSID, Authentication, Encryption, and PSK.
5)      Tab to the Current Status tab and try to Connect. I had to reboot my Pi before it would connect to my access point.
6)      Upon connection, you’ll see the IP address populate on the Current Status tab.

Once I got connected to the access point and was able to successfully ping outside of the network it was time for updates. A quick apt-get command and everything was all set. So static IP shouldn’t be too hard, right? I spent about thirty minutes to an hour fighting with having the wlan0 interface retaining a static IP. Here are the steps I took to resolve this:

1)      Bring up LXTerminal
2)      Type: sudo nano /etc/network/interfaces
3)      Change the line “iface wlan0 inet dhcp” to read “iface wlan0 inet manual”
4)      Change the line “iface default inet dhcp” to read “iface default inet static”
5)      Add these lines after the above line: “address 192.168.xxx.xxx” “netmask” and “gateway 192.168.xxx.xxx” where xxx is your subnet and host octets.

I also checked wpa_supplicant.conf to make sure it all looked fine (and it did) by using the following command:

                Sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

This shows SSID, PSK, encryption type, etc. Basically everything you see in wpa_gui. I changed nothing in here. Now, the above solution is a little weird. Why not just set wlan0 to static? At first I did and got nowhere fast. The only thing I could ping was the loopback interface and my static IP address. Couldn’t ping the gateway IP although I did specify it. The above solution was the only thing I could come up with and make work after rebooting a few times to make sure it auto connects.
At this point, static IP and wireless are working. Just need to make remote desktop work. For this project, I do not need to access the Raspberry Pi desktop from outside of my network. For this feature you may press your luck with Google. Also, this is for connecting from a Windows based laptop to the Pi. I’m using xrdp for my remote desktop solution. I had already installed this feature when studying for the LPIC-1 exam, but here are the steps to install it:

1)      Bring up LXTerminal.
2)      Type: “sudo apt-get install xrdp”
3)      If it asks for your password, please feed the pi the password.
4)      This should begin installing your software for remote deskop, xrdp.
5)      Restart the Pi. This should get the Remote Desktop Protocol server running.
6)      You can verify this when the Pi boots up by finding the line: [OK] Starting Remote Desktop Protocol server : xrdp sesman. My Pi boots directly to the desktop so I have to be quick to find this line when it boots. If yours boots to command line, you’ll be able to easily find this line.

Great! RDP is up and running on the Raspberry Pi! Let’s jump back to the Windows world for a second.
1)      On the Windows laptop, bring up Remote Desktop Connection and enter in the static IP address we gave the Pi and hit Connect. You may get a security warning, hit OK since we know you got a nice safe Pi.
2)      You’ll be presented an XRDP login prompt showing Module, Username, and Password. Leave the module defaulted to sesman-Xvnc and type in your username and password (the default username is “pi” and the default password is “raspberry”).
3)      Click OK and peer through the Windows to the world of Pi.

Now, I had trouble on this part of the process because I didn’t remember the password I set for the user “pi” so long ago. There are a couple options to fix this:

1)      From an LXTerminal window, use the “sudo raspi-config” command to run the starting config and change the password that way.
2)      From an LXTerminal window, use the “sudo passwd” command.

I used option 1 which was quick and simple.

That’s about it for prepping the Pi. I haven’t really come up with what I want to do with the Pi. Should it be a web server, ftp server, etc.? or should it be used for a surveillance machine, like Ike created. Or should it be used for weather reports? Time will answer that question. But to finish out the build, we need to look at fitting all this stuff in a box.

What’s In the Box?!

So many drawn diagrams.
So much planning.
I’ve spent a few days looking at how to put all these parts in the box. I took measurements of the components with calipers. First observation was pretty obvious: All components including the Pi cannot remain on the same plane. That means shelves. The box has two M4 bosses that will work as a starting point for creating two shelves within the box. Bottom shelf will house the battery, charger, and PowerBoost. Top shelf will house the Pi. According to the tech specs on adafruit.com, this box has an internal height of 70mm. So there is the first constraint I had to deal with. How should I lay the planes in the box? I went with a 3.5”x6.5” plane for both top and bottom. These measurements gave me just enough room to fit the middle 90mm x 167mm space in the box. I drew out a few diagrams, namely, top down view of the inside of the box, a side view with components for vertical spacing, and one top down view of the shelves for placement of the components. Laying out the components was not too difficult when drawn out on paper (yeah, I guess I’m old school. No CAD here). Getting stand offs for this project proved a bit of a challenge. I had some of those jack screws you’d find on the back of a pc or laptop on either side of the video connection to support the video cable and some screws from the inside of a laptop. These screws seemed to fit but wouldn’t go all the way into the jack screw. I threw that idea away and found some nylon stand offs but would take about twenty days to get to my door step. In the end I used 2-56x3/4 nylon screws, #2 .032”thick washers, 2-56 nylon lock nuts and ¼” #4 nylon spacers to act as a makeshift standoff. Putting all these together, they fit well and snug on the small circuit boards.

Next order of business was obtaining the material for the shelves. I went to the local hardware store and got a sheet of Lexan cut to the above dimensions. Fit perfectly in the box. Next was to place the PowerBoost and the LiPo charger to know where to drill holes. All the places were marked on the Lexan and the drilling began. This was my first time drilling into polycarbonate. I read a lot on how to drill this stuff so it would not crack. Everyone agreed to clamp the Lexan to wood and drill with a drill press. I was not able to get my hands on a drill press, so I was careful to be as vertical as possible with my trusty drill. Lessons learned on the test pieces of Lexan showed that slow and steady wins the race here. On to the actual pieces. They turned out perfect. The circuit boards were screwed in place with the nylon screws, spacers, and nuts. As they say, measure twice, cut once. This was very true here. So the first shelf is done, on to the second shelf. Only three holes needed to be cut for this one: two for the bolts to hold up the shelf and one for the capacitor on the charger.
PowerBoost, Charger, and Battery
all layed out in the enclosure.
If that last hole was not made, the Pi would not be able to fit inside the box. Taking measurements of the capacitor, I marked the location where that hole would be drilled. However, something occurred to me. The capacitor is not perfectly vertical. So I made the hole, but used a dremel to widen the area where the Lexan and the capacitor kept touching. Easy fix, but that made the top shelf look a little janky. No one will see it since the piece will be covered anyway.

Another step that doesn’t really need to be documented but you’ll notice in the photos, I used a dremel to cut off the top of the bolts that are used for supporting the Lexan shelves. This was done so I could work with the shelves a little easier and just set them into the box instead of putting the shelves on the bolts and screwing everything into place. I’m going to cap them with locking nuts to prevent any sharp edges and make it look a little more finished.

Everything at this point was looking great, but another thing popped into my head. If I continue on with the plan I had in mind, I would have to take the box apart to turn off the Pi. I need a power switch I can easily have access to. Back to my layout drawing. I saw the space I needed for a switch. Again, Adafruit.com to the rescue. I ordered the on/off switch listed above in the parts list. This switch did not come pre-wired. This was a good thing for me. That means I get a bonus for learning how to wire up the switch. Again, I took measurements to get the vertical and horizontal placement correct on the side of the box. I required a 16mm hole drilled into the side of this box, but living in an imperial world, I wasn’t able to source a 16mm drill bit, so I went with a 5/8” bit and milled out the extra .1mm. No big deal, and the hole looked pretty clean.
Testing the external power button.
The LED makes it look good!
I quickly learned how to wire up the switch so the LED would turn on when the button is depressed and off when not switched on. Back when I was soldering all those wires together, I had enough length in the wires for the job. Question now is, can I still use the same wires or do I need to get a few more inches of wire. Lucky for me, there was just enough wire after cutting the cable apart from the original plan. I decided to wire up the cable between the charger and the PowerBoost instead of wiring up the battery directly. I went this route in case I have to change out my battery in the future, this could be done with little or no effort. The wiring for the switch goes as follows: positive wire from the charger goes to the Common terminal, then a small jumper wire goes from the Normally-Open terminal to the Positive terminal, then from the Positive terminal, to the PowerBoost, then the negative wire comes out of the PowerBoost to the Negative terminal on the switch, and then from the Negative terminal to the charger. This wiring scheme allows the LED to light up when the push button is in the on position and off while in the off position.

Quickly, I hooked up all the cables to the appropriate jacks, screwed the shelves in place, and used some double sided tape to keep the battery in place and also to keep the Pi case from being knocked around on the top shelf. Screwed the top cover in place and voila, a solar powered Raspberry Pi computer!

Praise the Sun!

At this point, I am feeling really good about this project. How amazing is it when you learn new skills and overcome challenges. I learned a lot in regards to planning for a project of this scale, making a soldering job look nice, how a switch is wired up, and more. I haven’t done any long term testing as to how long the Pi will run into the night when only running on battery. However, I find it amazing that this pocket computer can inspire so many people to come up with bright ideas and make them a tangible item. Some of the notable pages that helped me complete this project are as follows:

·         How to make a Raspberry Pi solar-powered FTP server
·         Adafruit.com
·         Ike the Network Guy
·         Raspberry Pi Forums

Final product. One solar powered Raspberry Pi!

Finally, for all you Sun Bro’s out there, Praise the Sun!