Blue Team Starter Kit - Google for research

November 12, 2015

Google is a powerful tool for information security or IT in general. I was first introduced to Google back in 2003, while serving in the US Navy. Before Google I had used Yahoo, Netscape, and Lycos search functions with varying results. Once Google showed up, it changed the game. More accurate and quicker results became the norm. The other search engines began to fade until eventually Google was the reliable go to.

At my DerbyCon talk, someone mentioned Google Hacking for Penetration Testers by Johnny Long, Bill Gardner, and Justin Brown. The book takes a red team approach to utilizing Google. While that is important we're going to focus on some beginner level techniques in this post.

As with all the tools we’ll be covering, using Google is well documented. If a search technique needs better understanding, Google it. It’s that simple. Two of my favorite parameters to use are: quotation marks (“ “) and site search (site:).

Using quotation marks (“ “) around search terms will help refine searches. For example if I search for infosec tools I’ll get one set of results:

Using “infosec tools” I get a different set of results:

The first search term (infosec tools) is checking the entire page for the words infosec and tools. The second search tearm (“infosec tools”) is looking for that specific phrase in the web page. I've found using quotations useful for searching names and complex problems. Putting the quotations around a phrase helps refine the search. The search infosec tools returned 701,000 results; the search “infosec tools” returned 2,940 results.

This technique is also useful for using exact words with other terms. Example: Forensics “infosec tools”

The other parameter I like to use is the site: parameter. This parameter allows you to search within a specific site for specific words or terms:

2015-11-10 11_59_50-site_timothydeblock.com NSA - Google Search.png

That’s 19 results for the word NSA on this site. This is useful for searching blogs or sites that are difficult to navigate. Earlier today I came across this post on MOZ that talks about 25 operators specifically for the site: parameter.

There are numerous other search operators available to further refine searches. filetype: is another useful one. This operator is useful for discovering specific file types like a spreadsheet or PDF. Here are two of the many sites that dive deeper into Google search operators:

We’ve only scratched the surface, but this is a good starting point. Google is a powerful tool for security teams. Learning to use it effective is a valuable skill for any security team. From here disciplines like Google Dorking and OSINT await. As well as other tools that will help make your team better at what they do.

This post first appeared on Exploring Information Security.

Blue Team Starter Kit - Introduction

November 5, 2015

I recently gave this talk at BSides Augusta and DerbyCon this past September. BSides Augusta is a longer version where I demonstrate each tool. DerbyCon is a shorter version where I talk about each tool. After presenting at IT-ology Trends 2015, I decided to document the talk here on my site as a reference for people interested in the content.

My talk Blue Team Starter Kit presents several security challenges with low cost solutions. It is for security professionals with limited resources including time, money, and people.

LIMITED RESOURCES IS ONLY AN EXCUSE

Limited resources can be it’s own challenge.

“If only we could buy this appliance, all our problems would be solve.”

Except that when that appliance come in, it takes time to configure and train. Oh, and that function that the salesmen says would solve all our problems, ya, that doesn’t work. Some appliances work great. Other times not so great. Unfortunately, when the not so great happens we lose money and time. Look in house before even beginning to research solutions that can solve problems.

Often, I’ve found that appliances are not configured correctly or fully implemented. A little tender, love, and care (TLC) can get appliances running more efficiently and potentially help solve certain challenges. After looking in-house, if the problem still isn't solved, fire up the browser and start researching solutions.

Here are some of the challenges I've had to deal with in the past and the low cost solutions that helped meet those challenges.

CHALLENGE #1 - Research

Google is a fantastic tool for doing research. It is the first stop to begin solving difficult challenges. Understanding Google’s search techniques is a vital in becoming a proficient IT professional. COST: Behavioural data

CHALLENGE #2 - Threat Intelligence

So, how do I keep up with information security and it’s every changing ways? How do I keep my thumb on the pulse of the industry? Might I suggest social media and more precisely Twitter. The platform is a wonderful tool for the latest news and tools in information security. It also acts as a forum to interact with people to ask questions and make connections. Sure there is drama, but that can be tuned out (like any appliance). Don’t overlook this as a tool for your security team. I have found a lot of benefit using this in my day-to-day job. COST: Behavioural data

CHALLENGE #3 - Application Security

Management approached me with the challenge of doing security assessments on all new applications. With the help of Google, I found a non-profit organization called the Open Web Application Security Project (OWASP). OWASP is an open source community. Within the community is a vast amount of resources to help with application security. This is where I discovered a wonderful tool called the Zed Attack Proxy (ZAP). Setup as a proxy ZAP can be a powerful tool to help security professionals and developers find vulnerabilities in applications. COST: Free

An alternative to this tool is Burp Suite which has a community version and a paid version. COST: $300 year (Professional version)

CHALLENGE #4 - Forensics

As part of my job I respond to alerts from the state's Security Operations Center (SOC). Initially, we were just re-imaging the machines. At some point we decided we wanted to get a better understanding of how machines were being infected. I can't remember exactly where I found Redline from Mandiant (now FireEye), but it's helped with meeting this challenge. The tool (largely memory based) collects browsing history, registry and file changes and much more. It then puts it all in one location for automatic and manual analysis. COST:Free

An alternative to this tool is Volatility. COST: Free

CHALLENGES #5 - Endpoint Security

Microsoft’s Enhanced Mitigation Experienced Toolkit (EMET) adds an extra layer of protection to machines with Adobe Flash, Java, and Microsoft products involved. Sure, all the Windows XP machines should be off the network, but damn those legacy applications. Worried about that latest Internet Explorer vulnerability? Articles reporting on new vulnerabilities often times have the sentence "EMET mitigates this vulnerability." Like this one. COST: Free

CHALLENGE #6 - Patch Management

This is a big one and one that might be the most difficult of all the challenges. I tried a couple internal applications (it's amazing how many solutions have a deploy software function), with frustrating results. That is until the sysadmin I worked with suggested Admin Arsenal’s PDQ Deploy. It is a software deployment application that just works. Combined with PDQ Inventory it has the potential to help patch third-party software. COST: $500 (Enterprise version)

CONCLUSION

The challenges and tools above I plan to dive deeper into over the coming weeks. Working with limited resources can be tough and frustrating, but there are solutions. Look internally at existing solutions, first. Then look at external options. There are plenty of expensive appliances out there that will solve the problem. When those are determined to be outside of the budget, start looking at some of the inexpensive options. Often there are simpler and cheaper solutions to challenges. It might take a little more research, but they have the potential to do just as good of a job.

Feedback and suggestions are welcome in the comment section or by email: timothy.deblock[at]gmail[dot]com.

This post first appeared on Exploring Information Security.

Google offers new two-factor authentication option

October 22, 2014

You Can Now Protect Your Google Accounts With a Physical Key - Eric Limer - GIZMODO

I've never had a problem with how Google's two-factor authentication works. There are two options, receive a text message with the two-factor code or install an app that syncs with the Google account. Both methods are fairly easy to use and add a significant amount of security to Google accounts. Now, though, it appears there is a third option, which includes hardware. The hardware will have to be purchased and then enabled for a Google account, but it makes it much easier to interact with a Google account via Chrome or Chrome OS.

I'm a little concerned at the fact that it's a hardware option, because it could be lost or stolen. I imagine that you can disassociate the device from the account if it's lost, but if it's used sparingly there could be a large period of time between the lost device and discovery. And if someone steals the device and happens to have the password to my account it seems like it would be much easier for them to get into my account with hardware that supposed to make it more convenient for me to login. Sure my phone can be lost or stolen, but I'll know about it pretty quickly and it does have a lock on it. And yes, my phone passcode could be cracked, but it is adding another barrier to someone getting into my account vs. a piece of hardware that's triggered by the push of a button. That's not to say that I think this option is bad; it's just that I don't find the current process all that annoying. Regardless, I think a third option is a good thing, because more options for security is a very good thing.

This post first appeared on Exploring Information Security.

Public infosec links July 21, 2014

July 21, 2014

How to remove your house from Google Street View - Graham Cluley - welivesecurity

Google is mapping the world, which does come with privacy concerns. However, there is a way for someone to request that their home be blurred on Google Maps street view.

The Rise of Thin, Mini and Insert Skimmers - Brian Krebs - Krebs on Security

There are devices that can be attached to an ATM that can grab your credit card information and pin number. The stuff is meant to look like it’s part of the ATM. If you can wiggle something loose at an ATM it’s probably not meant to be there. Look for anything that appears to be out of place on an ATM.

Beware Keyloggers at Hotel Business Centers - Brian Krebs - Krebs on Security

Malware on a public machine is not all that surprising. Using a public computer for personal accounts is never a good idea. I would recommend avoiding public computers all together, but if you must I would be very careful what information you access on that machine.

This post first appeared on Exploring Information Security.

InfoSec links July 18, 2014

July 18, 2014

It Is Idiotic To Hand Out Your Twitter Password to Prove Passwords Are Dead - Kashmir Hill - Forbes

How a journalist distributed denial-of-service (DDoS) his account in one easy step. He tweeted out his Twitter password with two-factor authentication on. He wanted to prove that two-factor authentication was a fantastic security measure. To my knowledge no one has gotten into his Twitter account yet, however, he has had to switch phone numbers.

Project Zero - A Team of Star-Hackers Hired by Google to Protect the Internet - Mohit Kumar - The Hacker News

I can’t help but get a little giddy about this. Sounds very Avengers like and a new way to think about information security. I have on my board at work “Hunt Teams,” which is an idea I heard on a podcast. The team essentially tries to prove that the organization hasn’t been hacked yet.

Meet Google's Security Princess - Clare Malone - Elle

A wonderful read on Google’s Security Princess (her title choice) Parisa Tabriz. She’s the hacker hired by Google to break into Google. The article talks about her background and rise to a security manager of 30 people at Google. It’s Friday, take about 15 minutes through this article. You won’t be disappointed.

This post first appeared on Exploring Information Security.

Infosec scam links July 3, 2014

July 3, 2014

Duo Security Researchers Uncover Bypass of PayPal's Two-Factor Authentication - Zach Lanier - Duo Security

I love two-factor authentication. I turn it on just about everywhere that I can. It’s a real easy way to secure your online account. Well, unless it’s not implemented properly and that’s what it looks like PayPal did. Lot of technical details to dive into this one.

Google's Famous Security Guru Found An Embarrassing Hole In Microsoft's Products - Julie Bort - Business Insider

Microsofts nemesis, Tavis Ormandy, who works for Google found a vulnerability in their security software. The word skirmish is used in the article, which just makes this little battle between tech giants all the more juicy. Way better than Jersey Shore.

Redmond's EMET defense tool disabled by exploit torpedo - Darren Pauli - The Register

In other not-good news for Microsoft. It appears that some researchers have found a way to disable their Enhanced Mitigation Experience Toolkit. This doesn’t make the tool useless, but it does mean Microsoft has it’s work cut out for it strengthening the tool. Currently Tech Preview 5.0 is unaffected by this. Researchers are working on 5.0 and will have details regarding those attempts at Black Hat in Las Vegas in August.

This post first appeared on Exploring Information Security.

Information Security Link March 7, 2014

March 7, 2014

Surveillance by Algorithm: https://www.schneier.com/blog/archives/2014/03/surveillance_by.html

Bruce Schneier is one of industry leaders in information security and more specifically cryptographer. He is a very very intelligent individual and you will become smarter reading his works, guaranteed. In this particular blog post he takes some quotes made by the NSA and Google to task, in regards to how they handle people’s personal data.

The TL;DR version is:

The NSA version of the term ‘collect’:

“So, think of that friend of yours who has thousands of books in his house. According to the NSA, he's not actually "collecting" books. He's doing something else with them, and the only books he can claim to have "collected" are the ones he's actually read.”

Google says it’s algorithms, that read your email, is like your dog
“To wit: when you're watched by a dog, you know that what you're doing will go no further than the dog. The dog can't remember the details of what you've done. The dog can't tell anyone else. When you're watched by a computer, that's not true. “

This post first appeared on Exploring Information Security.