Monitoring Certificate Transparency Logs

What is Certificate Transparency?

Wikipedia defines it as:

Certificate Transparency (CT) is an Internet security standard and open source framework for monitoring and auditing digital certificates. The standard creates a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.

Essentially what this means is that whenever a Certificate of Authority (CA) issues a SSL certificate for a website, they must submit those certificate details to at least two public logs.

Why should my organization monitor CT Logs?

By monitoring CT logs, your organization can quickly identify any rogue certificates issued for your domain(s).  With simple monitoring, your defenders will be able to detect malicious or fraudulent certificates and take the appropriate actions to have them revoked before they can be used in attacks. 

Some providers, such as Cloudflare, how offer this as a service.  However, there are several drawbacks with this.  Firstly, your domain must be hosted and managed by Cloudflare.  Second, unless you have upgraded to a paid plan, the notifications are limited to the email address of the primary account holder.  And lastly, notifications are limited to email only.

However, there is a very simple way to achieve the same results, leveraging a couple freely available services, without having to make any changes to your DNS infrastructure. 

How can we do this on the "cheap"?

The first step is to use the crt.sh tool, provided by Sectigo. Simply navigate to this site, enter the domain you would like to monitor, perform the search, and then click the RSS feed button.  Then copy the resulting URL.

Next you will want to sign up for a free account on If This Then That.  Once that is completed, the next step is to create a new applet.   You will select "RSS Feed" and create a "New feed item" trigger.   Use the URL you previously copied from the crt.sh tool and create the trigger.

Now the fun part begins.  The IFTTT tool provides a plethora of notification options.  You can send Alerts into a Slack channel, a Microsoft Teams chat room, or email your security team.   For demonstration purposes, I will simply send an email to myself:

Finally, provide a memorable name so the purpose of the applet is clear, and you are all set!

What to do if a rogue certificate is detected?

Luckily, Cloudflare has very helpfully provided a list of support contacts for the major Certificate of Authorities.  

The Resurrection

 

Blogs have always been a vibrant space for individuals to express their thoughts, share experiences, and build communities. However, sometimes life takes unexpected turns, and our beloved blogs end up abandoned and forgotten. Today, I embark on a journey to resurrect my blog site that has been dormant since October 11, 2012. I started this blog 16 years ago and blogged fairly steady for five years.   But life happened and I haven’t posted in a long 11 years now.   During this time I have leading security in multiple high pressure startup environments.

One thing I’ve learned over the years is that is REALLY challenging to implement an effective Cyber Security program in startups and small & midsize businesses (SMB).  An SMB environment, where both budget and staff resource are highly constrained, presents a unique set of challenges that most security vendors and security “thought leaders” tend to overlook.

So going forward, some key areas I will cover in my blog include:

1. Practical Security Measures for SMBs: Startups and SMBs often operate on limited resources and tight budgets. We will explore affordable yet effective security practices, tools, and techniques that these companies can implement to protect their sensitive data and intellectual property.

2. Threat Intelligence and Detection: Keeping up with the latest threats is essential for any organization, but it can be particularly challenging for startups and budget-conscious companies. We will delve into the world of threat intelligence, sharing strategies to identify and mitigate potential risks within a constrained environment.

3. Incident Response and Recovery: In the unfortunate event of a security incident, a swift and efficient response is crucial. Our blog will provide guidance on building incident response plans, handling breaches, and minimizing the impact on business operations, even with limited resources.

4. Compliance on a Budget: Regulatory compliance is a significant concern for companies across various industries. We will explore cost-effective approaches to achieve compliance with relevant standards, such as GDPR, HIPAA, or PCI DSS, while minimizing the financial burden.

5. Security Awareness and Training: Educating employees about cybersecurity best practices is vital for maintaining a strong defensive posture. We will discuss strategies for creating comprehensive security awareness programs tailored to the specific needs of startups and budget-conscious companies.

6. Leveraging Open Source Solutions: Open source tools and technologies can be a valuable asset for organizations with budget limitations. We will highlight reliable and cost-effective open source security solutions that can help bolster defense capabilities.

By focusing on the unique challenges faced by startups and budget-conscious companies in the realm of cybersecurity, my blog aims to provide actionable insights, practical advice, and relevant case studies. I hope to empower my readers with the knowledge and tools necessary to safeguard their digital assets and protect their businesses from evolving threats, all while working within their financial constraints.

Join us as I embark on this journey to explore the world of blue team/defensive security, catering specifically to the needs of startups and budget-conscious companies. Together, we will navigate the complex realm of cybersecurity defense, fostering a safer digital landscape for all.   My plan is to blog at least once per month (more on that later).

HITB Malaysia - Day 1

I am currently attending Hack In The Box (HITB), a major security conference in Kuala Lumpur, Malaysia.   This is the first security conference I have attended in many, many years.  So far I am highly impressed.  It’s easy to see the amount of meticulous preparation that has gone into this event.  Additionally, the talks have been really fantastic.  For this two-day event, I will share my thoughts and impressions from each talk and my general Likes/ Dislikes of the conference as a whole.

Day 1 - Talks:

The first talk I attended was "Tracking Large Scale Botnets" by Jose Nazario.  While there was no new ground breaking information in this talk, I did come away with the following interesting facts:

• Botnets are sometimes constrained to geographical regions.  This is due to the cultural attractiveness and the language utilized by the lures, which led to the initial malware infection.


• Although security researchers are occasionally able to hijack entire botnets way from the original operators, they never (publicly) issue a "kill command" or clean up the botnet infections.   This is due to uncertain legal restrictions and repercussions.


• Some botnet operators are now using cryptographically signed command signals as a defense against hi-jacking.


• Some botnets contain a Domain-name Generation Algorithm (DGA), which operate on a timer.  This DGA is used to periodically generate a new DNS domain name of the command and control server.   For instance, current command and control server may be serverX.adbprmmg.com, but once the DGA triggers and calculates that the new control server is serverY.bmpkngf.com, each node of the botnet will now begin communicating with this new server.  By reverse engineering the DGA portion of the botnet code, malware researchers can register the new domain name before the botnet operator does and effectively neuter the entire botnet.

Jose Nazario

The second talk I attended was titled "Data Mining a Mountain of Vulnerabilities" by Chris Wysopal.  Mr Wysopal's company, Veracode, scanned and performed analysis on approximately 10,000 applications from a wide range of sources.  This talk represented an analysis of that data and sharing of a lot of facts and figures.   The items that stuck out for me in this talk were:

• Introduction of a new attack trend dubbed "water holing".  Basically this would be an attacker profiling a potential target and then attacking other sights of interest to the target.  The example provided was the attacker may determine that a subset of the employees of target company X are fanatical about the sport of Rugby and frequent a particular website dedicate to Rugby news.   The attacker would then attack the Rugby news website and host malware on it, in hopes of subsequently infecting the employees of target company X.


• A very large percentage of non-web based applications, have problems with cryptography.  These are related to improper key storage and the like. 


• The historical data shows that application developers are doing a better job of eliminating SQL Injection vulnerabilities from their applications.   This data also showed that developers are still not making progress towards eliminating cross-site scripting issues from their applications.

The third talk I saw was "OPSEC: Because Jail is for wuftpd" by The Grugq.  This talk was probably the most entertaining talk of the day and primarily focused on "how not to get caught hacking".   The items that stuck out to me were:

• Multiple quotes from The Wire and the Notorious B.I.G. song, "The 10 Crack Commandments".   Big props for those fantastic meaningful incorporations!


• When hacking, you do *NOT* have any friends.  You only have "criminal co-defendants".  Treat them accordingly.


• An anecdote of a guy who would rent hotels near business locations to do his hacking from.   The guy would bring along a lot of Wi-Fi gear, hack a nearby business, and then utilized the hacked businesses networks to then attack his intended target.  The multiple layers of abstraction are a really cool idea.


• Fake personas take a long time to setup and establish.  These should be setup way in advance and should include things like Gmail, Facebook, and Twitter.


• There has already been some discussion about a potential marketplace for the selling of established fake personas.


• Remember to shut off your mobile phone when going to an off-site location to hack.  The mobile phone signals could be used to correlate your geo-location.


• As Tor button and Tor enabled browsers are prone to "fail open" on desktops, Grugq has developed a customized version of OpenWRT to run on selected mobile access points which will force all traffic to the Tor network.   This will be hosted on GitHub.

Being a fellow Thailand-based expat, I'm really amazed by some of the stuff that Grugq speaks about.  Perhaps I am overly paranoid about a restrictive Thai government overreacting and revoking my visa and work permit, but I'd really like to know if he's ever ran into any issues in this regard or fears that he might one day.  Hopefully at some point tomorrow I will be able to meet him and pose this question to him.

The Grugq

The next talk I saw was "A Historical Look at The Personal Computer and The Phreaking Scene" by John 'Captain Crunch' Draper.  It was great to hear tales of days gone by from a legend in the industry.  The item I found most interesting in this talk was:

• Back in the day, the computer enthusiasts were sharing a BASIC program between themselves.   This was common practice in those days, but for some reason Bill Gates because upset by it.   Bill Gates ended up being the first person to ever consider that software should be "closed".

John Draper

The next talk I saw "Pwn@Home: An Attack Path to 'Jailbreaking' Your Home Router" by Fredric Raynal & Gabriel Campana.  This talk focused on a previous customer engagement where the speakers where contracted to "test the security" of a settop box and home router.   The talk was fairly technical in nature, but the thing I found really cool was:

• As the client did not define parameters around "testing the security", the speakers decided to review from 3 different perspectives:

1.  As a "Geek User".   Could they install other software packages on this router?  Could they install OpenWRT?


2. As a "Paranoid User".  Were there backdoors present?  What remote services were installed?  Was any surveillance type software present?


3. As a "Bad Guy".  Could they pentest against the PayTV infrastructure?  Could they attack other routers and build a botnet?

A few weeks ago, I was examining the security of my own newly purchased home router.   This particular router forces the use of DNSPROXY and will only distribute the single internal IP address of the router as the client DNS server via DHCP.   I started digging in the router and eventually was able to get a shell and access to the file system.   I found many troubling things (more on this in a later posting!).   I was eventually able to make the changes I wanted (which were lost upon reboot), but I was never able to get *FULL* root access and was soon distracted by other tasks.   Seeing this talk makes me want to revisit this and try the following:

• Check for the presence of setuid binaries and attempt to exploit.


• Try to download and decompress the firmware.


• Run "strings" against the firmware.

The final talk of the day was "'I Honorable Assure You: It is Secure': Hacking in the Far East" by Paul Sebastian Zieglar.  This talk was also very entertaining and after almost five years as a security professional in SE Asian myself, it hit really close to home.  This talk focused on the cultural mindset of Japan and Korea and how that applied to the realm of security.  There were so many great points made in this talk, they are too numerous to list.  My thoughts on this talk were:

• There are a lot of similarities with Thailand.


• There were also a lot of subtle differences with Thailand.


• I would love to do an "extension" of this talk to focus on my observations based on my time in Thailand.

Overall Conference Likes:

• Well organized and planned.
• Good selection of local Malay food for lunch and great desserts.
• Free bottled water widely available throughout the conference area.
• Ease of registration.
• The booth babes at the Time Networks booth.  I know some would consider this sexist, but booth babes are still very common in South East Asia, particularly in Thailand.  This is simply part of the culture, where oppressive fears of being non-politically correct don't run rampant.  So what some in the West may deem sexist, I deem it to be embracing of the culture I've chosen to immigrate into.

Overall Conference Dislikes:

• The photographers and videographers spend too much time filming and taking pictures of the audience.  As someone who detests having my picture taken, I find it annoying to have a video camera pointed in my face every time I look up.
• There is loud techno music being played in the common area throughout the event and additionally in the conference rooms between talks.  This is quite disturbing to the talks, as every time someone opens the door to come or go during a talk, the music can be heard through the open door.   I really wish the conference organizers would either select a less annoying form of music, turn it down a bit, or just play "Gangnam Style" on an infinite loop.

Day 2 Plan:

• Talk 1 - Silo Busting in Information Security: The ISC SIE Approach - Paul Vixie
• Talk 2 - How to Get Along with Vendors Without Really Trying - Katie Moussouris
• Talk 3 - XSS & CSRF Strike Back Powered by HTML5 - Shreeraj Shah
• Talk 4 - iOS Panel Discussion
• Talk 5 - Messing Up the Kids Playground: Eradicating Easy Targets - Fyodor Yarochkin
• Talk 6 - Information Warfare & Cyberwar: What's the Story Morning Glory? - Raoul Chiesa
• Talk 7 - Element 1337 in the Periodic Table: Pwnium - Chris Evans

Be sure to follow me on Twitter @WetFdStamp for more pics and highlights from HITB Day 2!

HITB - Capture The Flag

WiFi Scanner in OSX Mountain Lion

Its a little known fact that OSX Mountain Lion comes with a Builtin wireless scanner. This scanner comes in quite handy when surveying available wifi access points. To use this scanner, simply open a terminal window and type:


 open /System/Library/CoreServices/Wi-Fi\ Diagnostics.app


This will open the primary Diagnostic window:

You can just ignore this window.   Next press Command + N.  This will open up the Wifi Utilities Window:

Now click the "Wi-Fi Scan" button at the top and your scan will start automatically:

CentOS 5.5 Upgrade Bug

After upgrading a few production servers from CentOS 5.4 to CentOS 5.5, I have identified a potential bug in the upgrade. For some reason the checkconfig setup for postfix gets deleted and postfix doesn't start automatically after a reboot. I couldn't find references to this anywhere else, so posting in hopes that it may help somebody else. This is an easy fix, but something you need to watch for as you update any servers running postfix.

After upgrade and reboot, running chkconfig no longer shows postfix in the list.

[root@mx1 ~]# chkconfig --list

[..snip..]

ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off

pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off

psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off

rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off

rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[..snip..]

I was able to get to to show up, simply by typing "chkconfig postfix on". I assumed I would need to do "chkconfig --add postfix" to *ADD* it first, but does not appear that this is the case.

[root@mx1 ~]# chkconfig postfix on

[root@mx1 ~]# chkconfig --list

[..snip..]

oddjobd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

pand 0:off 1:off 2:off 3:off 4:off 5:off 6:off

pcscd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off

postfix 0:off 1:off 2:on 3:on 4:on 5:on 6:off

psacct 0:off 1:off 2:off 3:off 4:off 5:off 6:off

rawdevices 0:off 1:off 2:off 3:on 4:on 5:on 6:off

rdisc 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[..snip..]

Google-Hacking Google's Safe Browsing List

I discovered a kind of cool trick the other day with the Google safe browsing service. When doing a client vulnerability assessment or pen-test, if the customer has an assigned AS number, you can quickly check the Google safe browsing list to see all the sites from their network, found to be serving up malware in the past 90 days. For example, if you were doing an assessment for a customer than owned the AS number 11643, you would use the URL in the following format:

http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=AS:11643

As your customer is probably not knowingly going to host malware, identifying these sites proves valuable as it is probably still exploitable. More often than not, I have discovered that these sites have been compromised through weak/ easily guessable FTP or SSH usernames and passwords.

Taking this a couple steps further, I noticed that Google has published an API for this service.
An interesting application of this would be to take all the discovered host names, when enumerating a client's IP space with something like Fierce Domain Scan, and feeding each of those sites into the Google Safe Browsing list.

There are several other applications of this. Say for instance you are a web hosting provider. You can semi-monitor your hosted customers and notify them when they ended up on the "bad list". This can either be done by plugging in your AS number or by enumerating all the sites and plugging those into the API.

Another application for this, could be for a security company to identify potential customers. For example, working for a security vendor here in Thailand, all I would need to do is identify a few Thailand specific AS numbers, and away we go:

AS 7470 , AS 9737 , and AS 9931

Please note, for those who are not familiar with the naming conventions in the .th TLD, go.th is reserved for government sites and mi.th is reserved for military sites. With that knowledge, the results above are sort of shocking, no?

Scam Protection - Open Letter to the bar owners of Thailand

Here in Chiang Mai, as well as various other parts of Thailand, one seemingly popular scam, is collection of music royalties and levying of fines for infringement. These "copyright police" show up with dodgy documents and a uniformed police officer in tow. These uniformed officers, either through sheer ignorance or an agreement for a cut of the profits, allow the "copyright police" to seize computer equipment, confiscate CD's, and even will arrest "violators" and take them down to the jail.

You can read more about this horrible scam here and here.


So, obvious legalities aside, I asked myself, "Why are they making it so easy?" "What would *I* do, if I was running bar in Thailand?" [Something that is actually part of my long-term goals, but that is a story for another day!]

So, Bar Owners of Thailand, here is what I would do:

First off, I would stop storing questionable items on my computer. On my personal computer, you will not find any mp3s, boot-legged movies, pornography, pictures of old girlfriends, etc.. Not saying I don't possess these items, I am just saying they are NOT stored on my personal computer. Now if I was going to have a PC sitting out in a public place of business, I think this rule of thumb should be infinitely more applicable.

So, how can I make this work? Easy! First I would head down to Pantip (or any other computer mall of choice) and buy a nice, cheap, external USB hard-drive. Next I would down the free/ open-source tool, TrueCrypt. I would use this to create one or two large encrypted volumes on the USB device. In these encrypted volumes, I now have a handy, safe, and very portable place to store my all questionable items!

If anyone ever tried to catch me with said questionable materials, hopefully me or my staff might have time to quickly disconnect the USB drive and physically move it out of sight. If not, it does provide me with some measure of plausible deniability.

There are no questionable items to be found on my computer, nor the encrypted device... Go ahead and take a look... I challenge you to show me these items! Most likely they aren't going to be able to.

If for some strange reason, the "inspector" is somewhat intelligent enough to figure out the encrypted USB storage trick, and presses me for the password, no problem! A simple white lie, for instance, "an unknown person accidentally left it behind.. I have no clue what the password is. I, being nothing short of a good Samaritan with the best of intentions, simply plugged it into my computer in hopes that I could determine the proper owner and return it to them."

What can they do? And better yet, what can they prove in a court of law? :)

[Disclaimer, I am NOT a Lawyer. I am NOT advocating unauthorized possession of copy-written materials and/ or the mis-leading of authorities. I have carefully reviewed the prevailing law here, the Thailand Computer Crime Act of 2007, and do not see indication of what I am proposing is in violation of any sections of this law. However, again, I am NOT a lawyer and more importantly I am NOT a Thai lawyer.]

On the off chance this helps someone and you end up saving 50,000 THB, feel free to comp my drinks next time I visit your fine establishment.