Category: Informational

Posted in Informational, InfoSec History, Research, Vulnerabilities

There is no Safe Haven: Mac Attacks

Posted on by Steph

I was all set to write about an interesting job in infosec today and then I woke up and saw reports of a new attack: ‘Pacman’, being leveraged against Apple computers. This report got me thinking about a conversation I saw on Social media where a connection was asking about what laptop to buy. One of this person’s friends mentioned getting an Apple because they are ‘safer’ than Windows machines and ‘antivurs wasn’t needed’ (no one but us tech geeks recommend Linux it wasnt even in the running). I recall thinking that laypeople are just really unaware that Apple systems are getting targeted at higher rates in recent years . So here we are talking about Mac Attacks.

As a disclaimer I’ve got no real dog in whatever battle exists between OSes. As a tech-head I have systems that run Windows, MacOS, and several flavors of Linux. The job isn’t to safeguard a specific type of system it’s to safeguard them all.

We can say, oh MacOS and Linux OS distros have less know vulnerabilities or are attacked less often, but to say that one or the other doesn’t have any or doesn’t get attacked is untrue. All systems are opened to be attacked.

Some Recent Apple Malware:

  • Pacman
  • Silver Sparrow
  • XLoader
  • GoSearch22
  • Thiefquest

A more in depth look at some Apple vulnerabilities and malware can be found here or here.

I will always advocate for user to protect themselves. Defense in depth isn’t just for enterprises it also means that users shouldn’t assume that the systems are just inherently ‘safe’. When people say security is everyone’s business I can support that because your end security should be your business which includes setting precautions to overlap where initial software and hardware might fall short.

Posted in Flashback Friday, Informational, InfoSec History

Case Study: Maroochy Shire

Posted on by Steph

Problem

In 2001, a former contractor who still had access to the system, compromised the industrial control system (ICS). This compromised causes the sewage to flood the town and watershed.

This would become the first widely recognized attack on and industrial system.

“Marine life died, the creek water turned black and the stench was unbearable for residents,” said Janelle Bryant of the Australian Environmental Protection Agency in The Register

Cohen, Gary, 2021

Solution

  • Focus on possible Insider Threats
  • Offboarding procedures
  • Emphasize separation of duties
  • Airgap operational technology from information technology.
Posted in Informational, Labs, What I've Used

Splunk Core Certified User – Study Guide

Posted on by Steph

I would advise anyone who wants to learn to use Splunk to actually use Splunk. They offer a really thorough fundamentals class for free and you fan set up a Splunk environment fairly easy.

There’s also hands-on by completing the ‘Boss of the SOC’ challenges.

Furthermore I recommend:

Splunk Certified Study Guide by Deep Mehta published by Apress

I highly recommend the above book to supplement study and test prep.

Posted in Informational, Learning Woes, What I've Used

Broke the Microsoft Curse

Posted on by Steph

Or Passing AZ-900

Last Friday I sat for an passed Microsoft’s Azure Fundamentals (AZ-900) certification test. During my hiatus I had sat for an failed Microsoft’s Security Analyst (SC-200) test.

To be honest I really wasn’t prepared for SC-200. I breezed through the Microsoft Learn coursework and didn’t really study the material. Although I had hands-on with their security tools I’d never used Kusto Query Language. I kinda wanted a feel for how Microsoft tests were comparatively speaking.

Failing SC-200 wasn’t a big hit because I was aware of my shortcomings.

Still to me, Microsoft Cert Tests are trickier and have section blocks that limited the ability to go back and change answers, which I wasn’t prepared for the first time taking one of their exams, but was ready for taking the Fundamental exam.

This is exam is basically theoretical and based on understanding Azure on a high level and the using the cloud as a whole.

I would recommend using the following to test prep:

  • Microsoft Learn for AZ-900 (free Microsoft course)
  • Jim Cheshire book (pictured below)
  • I microsoft also has ‘Virtual Training Days’ which can help.
Jim Cheshire – “Microsoft Azure Fundamentals Exam Ref AZ-900”

Now to get more hands on with Azure!!

Posted in Informational, Labs, Simple Malware Analysis

Build a Lab with Me (#1)

Posted on by Steph

Write the Docs…

So, I’m a little bit of a tech hoarder.  I’ve got several raspberry pis, nucs, Mac minis, and a chrome box. I also have a switch to put pfsense on.  I’ve kinda got the hardware part down (tho I am looking for 1 more machine with 16gb or ram to complete my vision).

This being said I have a few things I want out of my lab environment:

  • Malware Analysis machine
  • Security Onion Analyst machine
  • Cyber Threat Intelligence Machine
  • Possible Forensic Analysis Station
  • Also want to have a pihole

I also know I want to mess around with Docker and Python although these don’t need their own environments the other three kinda do. This is especially true for malware Analysis machine which needs to be isolated as much as possible to prevent infection of other systems.

Draft Lab Documentation

The above is the draft documentation I cooked up to kinda of mimic inventory management. I also think if I’m going to have stationary ip addresses that this should be documented as well. I started having this info written out, but have also entered it into note-taking software. This is my attempt to be meticulous and intentional in this endeavor.

Posted in Informational, Simple Malware Analysis

Bazar Call Emails: More than a Scam

Posted on by Steph

This week I learned about Bazar Call /Bazarloader Malware. I had never heard of this malware campaign. Even when it was explained to me I didn’t think that it would have a high success rate, but doing more research it is really successful.

The whole cycle starts with an email one that often talks about the end of a free subscription or being charged for a renewal or the like. This email might not have any links or attachments, but will have a number for the recipient to call.

<sidebar: I’d always thought these types of emails had 1 purpose and that was to scam recipients by getting them to call and then getting them to divulge credit card information or other personal information…my viewpoint was limited .>

When the recipient calls to cancel or dispute the precieved charges they are directed by the ‘call center’ to a website and this website downloads bazarloader malware which can be a carrier for other malicious code like Trojans or Ransomware.

https://unit42.paloaltonetworks.com/bazarloader-malware/

So, I learned something new this week. I’m always amped when I learn something and I usually want to learn more about it. So, I’m doing more deep diving on Bazarloader and to see if there are other similar campaigns.

This whole thing also reinforced thinking outside the box when it comes to attacks. Often times, the simplest objective isn’t the true objective. Why hook a little phish when a marlin is out there like encrypting and ransoming an entire enterprise?

Also long story short, whether it’s a credit card scam or something more malicious, like this: don’t call random numbers in emails.

More readings on Bazar Call:

Posted in Informational, Labs, Using, Walk-Throughs

Build A Lab With Me… (#0)

Posted on by Steph

A Multipurpose, Multisystem Endeavor

This morning I sat in on a virtual Meet-up where the topic was Building a Lab.  During the pandemic I had been slowly but surely ‘collecting’ computer equipment with the thought to build out several components to like a multitasking lab environment.   I know a lot of people are all for virtual environment labs, and I had one of those as well, but I also think that different devices should have different functions and like the idea of re-purposing old systems.

I’m working on this because in the past my virtual lab was tied to schoolwork or ctfs and mostly focused on lightweight pentesting and I want to get more hands-on defensive measures in place. I also want to be able to pull in threat intelligence feeds and a machine specifically for python scripting and researching.

An older version of the Meet-up I attended this morning

One of the things that stuck with me this morning and is kind of a ‘duh’ moment was to do an inventory, but also I think I’m going to try to design and designate all the components I want/have before I start building out. That’s why this blog is #0 it’s my pre-planning. I’m going to take the next week to look at the systems I have, the objectives I want to learn, and then plan out. Another piece to this will also be the documentation, I want clear and concise documentation because in a real world scenario this would be important.

Next week or the week after I’ll share examples of my inventory assessment and initial documentation. I also plan to have designated the use of each piece.

Posted in Covid, Hiatus, Informational

The Condensed Version of Why I was MIA

Posted on by Steph

It’s been a while. I kept trying to say that I would be back blogging, but there were so many compounding things.

Covid-19: I wanted to be one of those people who was super productive during Covid not realizing how changes might effect mood. I’m an introvert by nature and it felt like ‘no big deal’….til it was. I ossicilated between being feeling like nothing was changing and I was stuck to making a lot of headway last year. I made all this progress, but felt isolated…it’s not a good headspace to write from.

Changing Jobs: When I first went on radio silence I had just left a position, my first real infosec position and there was a period of like 3 weeks where I technically had a job, but wasn’t working. I did not know how panicky not having a steady income would be (even with savings), but it was….when you’re money is funny you are not in a place to blog.

Contracting is for the Birds: This came later, there was a period where I transitioned from subcontracting to contracting and thay was stressful. There was poor communication and a back and forth on whether I needed to find a new job, so basically I was back to panicking and stressing about what comes next. It worked out, but it also made me realize I didn’t want to stay a contractor for much longer.

2021: I turned a corner in 2021, if anything this was a great year because all I accomplished. I racked up certs, worked and felt in my niche. I mean by the end of 2021 I felt like I had really made a little establishment in my new career. On my team my name was synonymous with great work and I knew it, but I also was burning myself out trying to prove that I belong (burnout is real. Imposter syndrome is real. And I will discuss in a later post). I was moving so much I couldn’t even think about slowing down to commit to blogging.

Now: Here we are.

  • I’ve got an awesome mentor
  • Have been motivated to think about branding (which is exciting)
  • I think about where I want to fit into and give back to the infosec community as a whole
  • I got to do a CTF that made me more secure and what type of infosec path I want to be on (more on this later)

All in all I’m ready to commit to this again, but with caveats. This will only be a weekly blog, the calendar I wanted was too much to busy and hectic. This is manageable and it’s good to set boundaries (even with yourself).

In the coming weeks I will also be changing the look of this blog. Thanks to anyone who still reading this and sorry that I left you in the lurch.

Posted in Informational, Using, What I've Used

What I’ve Used 05/2020

Posted on by Steph

Professor Messer

I wish Professor Messer would come out with a CYSA+ series. I’m just putting that out into the ether in hopes that it will be heard and manifest.

5/5

Professor Messer

I passed Network+ and Security+ in part to listening to Professor Messer’s lessons. When asked for resources to taking these certification exams (and A+) I always include the site in recommendations. For one the site is free. I know that people say: “You get what you pay for…” and can be disparaging about free resources, but good free resources are out there and this is one of them. I just don’t think that adage always holds up.
Second, The videos are aligned with the exam sections which make it easy to backtrack or pick out the sections that are giving one trouble or that needs more information or clarification. For example if you pretest and there is section that is an obvious need for improvement on the Professor Messer site you can go directly to that section and review just that section.
Third, there’s an offer for offline notes and recordings and this offer isn’t a pop up or annoying, so it feels like monetary gain is not the main agenda. The offline purchase is exactly what it should be: an aside.
Last, the information is good information and update quickly. This is a super plus because for example A+ has had two fairly recent updates and the information on the site has update just as quickly. By my standards keeping up with exam changes is super important because outdated information is only helpful to a certain point.

Posted in Informational

Hiatus:Over

Posted on by Steph

I’m back to more regular updating after taking some unannounced / unplanned time to adjust to some changes in life.

I’ve changed positions and that was a little stressful with the whole uncertainty brought on with stay at home and remote work emerging and changing the landscape.

I’ve finished my bachelor portion of my college program and moved right into graduate work.

I got the results for CYSA+ Beta and….
I failed. Ugh….and I failed by such a small margin that I will be retaking 001 before it’s retirement.

I’m back on Linux study.

Like I said, I’m back so look for a new post next week!