Categories
Tampa Bay What I’m Up To

UC Baseline report: It’s week 4, and now it REALLY begins

Now begins the fourth week out of five weeks at Tampa Bay security guild The Undercroft, where I’ve been taking part in UC Baseline, their cybersecurity course. This is their inaugural class, and I’ve been documenting my experiences as part of that cohort.

Me outside The Undercroft during one of our breaks.

This week is the heart of the course — Information Security 101. The previous three weeks, as instructor Gabrial “Tremere” Hartnett put it, was background material. It’s going to be the most information-dense week of the course — in fact, there’s so much material that class time has been extended by an hour each day. This week, we’re in class from 8 to 5.

(This will be a double-challenge for me as I have to teach two more Python classes on Monday and Wednesday evening, from 6 to 10.)

This should be an interesting week!

In preparation for this week, I’ve been absorbing material from  Jayson E. Street, VP of InfoSec at SphereNY, and expert at getting into places that he is absolutely not allowed to be in.

Steal Everything, Kill Everyone, Cause Total Financial Ruin!
(DEF CON 19, 2011)

Why you should watch this talk: It’s a pretty good intro to getting access to places and systems that you shouldn’t be able to access, and with skills that you probably already have. Street says that he doesn’t have amazing programming, lockpicking, or hypnotism skills — all his tricks are about exploiting human weaknesses or making use of tools that you can easily find or purchase. This talk includes the line “The best way to get management about a disaster plan is to burn down the building across the street,” which captures its essence perfectly.

Here’s the abstract for this talk:

This is not a presentation where I talk about how I would get in or the things I might be able to do. This is a talk where I am already in and I show you pictures from actual engagements that I have been on. They say one picture is worth a thousand words I show you how one picture cost a company a million dollars and maybe even a few lives. In a community where we focus so much on the offensive I also make sure with every attack I highlight. I spend time discussing what would have stopped me. We need to know the problems but we need more talks providing solutions and that is what I hope people will get from this. I show the dangers of Social engineering and how even an employee with no SE experience can be an eBay James Bond which can cause total financial ruin to a company. These Security threats are real. So are these stories!

I PWN thee; I PWN thee not
(DEF CON 27, 2019)

Here’s the abstract for this talk:

Attackers love it when defenses fail. Implementing defenses without properly understanding the risks and threats is usually a waste of money and resources. This is a frank discussion of what control failures an attacker looks for when attempting to breach an enterprise, as well as how an effective control can help prevent an attacker from being successful. Jayson will walk through real-world scenarios that have led to successful compromise of different companies through control failures. He will also give detailed analysis of controls that led to his attacks being effectively thwarted. Learn how to understand and assess real-world risks, as well as simple defenses which can be implemented to better protect your organization.

Dissecting the Hack: The F0rbi1dd3n Network  /
Dissecting the Hack: The V3rbOt3n Network
(2010 / 2016)

I’ve only started reading the first of these two books, which are probably best described as “hacker spy thriller fiction.” These books are in two parts; the first part is a story in which infosec principles play a key part, and the second part is a great infosec reference.

Categories
Tampa Bay What I’m Up To

Scenes from “Operating systems” week at The Undercroft’s “UC Baseline” cybersecurity course, part two: Windows security

Photo: The Undercroft sign, featuring the Undercroft’s “mascot” — a stag standing upright in a suit, leaning jauntily against an umbrella, walking stick-style.Last week was week 3 of the inaugural class of UC Baseline, the 5-week cybersecurity program offered by Tampa Bay’s security guild/coworking space/clubhouse for merry tech pranksters The Undercroft.

This week has been all about operating systems, and Monday to Wednesday were devoted to Linux (which I wrote about earlier). The remainder of the week, Thursday and Friday, were set aside for that contradiction in terms known as Windows security.

Here are some photos from the Windows Security days…

For this class, we moved from the room at the front of The Undercroft to the one in the back. Once again, I took my preferred perch — in the back row, on the left side of the room:

Tap to view at full size.

I have good reasons for picking the classroom seat favored by the “bad students”:

  • It provides a view of the entire room at a single glance.
  • With nobody behind me, only I see what’s on my laptop screen(s).
  • It puts me upwind from everyone’s breathing. We are still in a pandemic, after all, and while we’re wearing masks and following precautions as best we can, we’re spending long hours in a classroom. We get tired. We get careless. Our hygiene game is one thing when we arrive fresh and rarin’ to go at 8:00 a.m. and a completely different thing at 4:02 p.m., after absorbing the finer points of processors, or the SYN/ACK/RST dance, or any other concept that the instructors are firehosing at us.

Some of the topics we covered were relatively straightforward and easy enough for laypeople to grasp…

Tap to view at full size.

…while others were subjects of Windows arcana that I haven’t dealt with in depth since my time at Microsoft:

Tap to view at full size.

Windows security is much more than just the technology. As the best-known, most-deployed, most-used (and yes, most-pirated) desktop operating system out there, you have to have a clear picture of who the targets are:

Tap to view at full size.

Windows Defender — actually, as of May 2020, it’s been going by its new name, Microsoft Defender — was part of the curriculum. It’s come a long way from the Windows XP days.

Tap to view at full size.

A good chunk of the Windows Security portion of the program was devoted to “living off the land” — LotL for short — which is a great metaphor for a specific type of attack strategy.

Tap to view at full size.

Living off the land is attacking a system by using tools, software, or features that already exist in the target environment. It’s using your victim’s own resources to break into their systems.

Tap to view at full size.

Living off the land offers a number of advantages:

  • It makes it easier to avoid detection. All software leaves some kind of trace to one degree or another, and unfamiliar software performing unusual tasks usually attracts the attention of sysadmins. Familiar software that’s already on a target system tends to raise less suspicion. If you can harness software that’s already on the target system, it’s like having someone on the inside.
  • It can be difficult to install malware on a target system. Even on systems managed by people who aren’t all that careful, it can still be difficult to gain enough access to install applications on a target system without authorization.
  • The tools for administering systems are powerful, and they’re often pre-configured for easy access to the systems they’re on. If you’re an administrator, one of your performance metrics is how quickly you solve users’ problems. You’re incentivized to have software and utilities set up in such a way that you can get into their systems and change settings quickly. If you can access these, you’ve got a great attack vector.
Tap to view at full size.

Living off the land is so effective that there’s now an entire suite of tools for it: LOLBAS, which is short for Living off the Land Binaries and Scripts. It’s a set of over 100 tools for living off the land on Windows systems — and ironically enough, it’s hosted on GitHub, which is a Microsoft property.

Tap to view at full size.
Tap to view at full size.

For these two days, we needed to be running Windows. My ThinkPad runs Mint Linux, but with VMWare and a Windows 10 VM, I was running Windows within Mint. And then, we remote desktopped into another Windows machine, which meant I was running Windows from Windows from Linux:

Tap to view at full size.

I haven’t done this sort of Windows systems admins since I worked at the Beast of Redmond:

Tap to view at full size.

Let’s give this remote system’s domain a proper name…

Tap to view at full size.

…and a proper admin password as well. Remember, 668 is the Neighbor of the Beast:

Tap to view at full size.

Although we were free to play with this remote system, I will still neither confirm nor deny that I may have left little scripts that will automatically and unwillingly take unsuspecting users directly to the My Little Pony site:

Tap to view at full size.

I can’t be as creative when setting up DNS…

Tap to view at full size.

…but I can at least get it up and running:

Tap to view at full size.
Tap to view at full size.

A good sysadmin has their users corralled into the appropriate groups:

Tap to view at full size.

On Monday, Week 4 — Information Security — begins. They promise that it’ll be the most intensive part of the course; in fact, they’ve added an extra hour to each day, which means the classes run from 8 to 5 instead of 8 to 4.

This should make Monday and Wednesday interesting, as I’m teaching the final 2 days of a Python course between 6 and 10 p.m. on those evenings.

Categories
Current Events Tampa Bay

What’s happening in the Tampa Bay tech/entrepreneur/nerd scene (Week of Monday, August 10, 2020)

Hello, Tampa Bay techies, entrepreneurs, and nerds! Welcome to the weekly list of online-only events for techies, entrepreneurs, and nerds based in an around the Tampa Bay area.

Keep an eye on this post; I update it when I hear about new events, it’s always changing. Stay safe, stay connected, and #MakeItTampaBay!

Monday, August 10

Tuesday, August 11

Wednesday, August 12

Thursday, August 13

Friday, August 14

Saturday, August 15

Sunday, August 16

Do you have an upcoming event that you’d like to see on this list?

If you know of an upcoming event that you think should appear on this list, please let me know!

Join the mailing list!

If you’d like to get this list in your email inbox every week, enter your email address below. You’ll only be emailed once a week, and the email will contain this list, plus links to any interesting news, upcoming events, and tech articles.

Join the Tampa Bay Tech Events list and always be informed of what’s coming up in Tampa Bay!


Categories
Tampa Bay What I’m Up To

Scenes from “Operating systems” week at The Undercroft’s “UC Baseline” cybersecurity course, part one: Linux 101

Tap to view the photo at full size.

It’s the end of Week 3 of the inaugural class of UC Baseline, the cybersecurity program offered by Tampa Bay’s security guild/coworking space/clubhouse for merry tech pranksters The Undercroft. This week has been all about operating systems, with Monday to Wednesday devoted to Linux, and Thursday and Friday set aside for that contradiction in terms known as Windows security.

Not everyone in the program is a techie, and not everyone in the program has had much experience with the operating system, so the Linux portion of the week was largely an introduction.

Here are some photos from the Linux days…

Tap to view the photo at full size.
Tap to view the photo at full size.

A lot of the sessions were hands-on. To ensure that we were all seeing the same thing for each exercise, we all ran a GUI-free Ubuntu from a USB key:

Tap to view the photo at full size.

This is me setting my hostname. The denotation of the name is the French word for “host”, but the connotation in Quebec French is a little more…colloquial:

Tap to view the photo at full size.

The Undercroft has a nice little enclosed courtyard, and I love having lunch there. I’m going to miss it when the course ends:

Tap to view the photo at full size.

I took advantage of a little downtime during the day to whip up a simple port scanner in Python, complete with 1337 H4X0R 5P34K:

Tap to view the photo at full size.

I don’t write shell scripts often, but when I do, 75% of the script’s purpose is to share an inside joke with myself:

Tap to view the photo at full size.

Even though I spend my time on the command line on POSIX-based systems like Linux and macOS, I do it in a GUI-based terminal program, where I can control/command-N a new window or control/command-T a new tab. Instead of that nice, cozy world, we were deep in 80-by-24 land, which meant we were splitting screens with good ol’ tmux, which I haven’t used in a dog’s age.

In the top pane below, I was working on a quick Python script to call from .bashrc for kick, and in the bottom pane, I thought I’d run Gopher for old times’ sake:

Tap to view the photo at full size.

No OS administration class is complete without covering the process of adding and managing users:

Tap to view the photo at full size.

 

Categories
Process Tampa Bay What I’m Up To

UC Baseline: Windows security

We’re on the back half of Week 3 of UC Baseline, the cybersecurity training program being given by The Undercroft, Tampa Bay’s cybersecurity guild and security-focused coworking space. We just finished three days of Linux 101, which was mostly an intro to command-line Linux, and now it’s time for two days of Windows from a security point of view.

Scenes from UC Baseline’s “Linux 101” class. Tap to see at full size.

I’m the lucky recipient of a UC Baseline scholarship (I wrote about the scholarship opportunity and then landing it a few weeks back), and I figured that I might as well use my COVID-19 downtime productively by spending five-ish weeks participating in the program.

Tap the photo to see my article from 2009 associated with this photo.

From the fall of 2008 to the spring of 2011, I ate, slept, and breathed Windows — that’s when I was a developer evangelist for Microsoft Canada. I like to think that I was pretty good at it — good enough that the looney-tunes site TechRights.org saw me as enough of a threat to run a hit piece containing this image:

Since leaving Microsoft, I’ve stayed pretty much outside the Windows world. I call it “time off for good behavior”. I took it to the point that immediately after handing in my blue badge, I drove straight to the store and bought my first iPhone — and remember, I was a designated Windows Phone champ:

This part of the program is being taught by Michael “Turtle” Dorsey, and it’s a great refresher for a lot of material that I haven’t covered in a good long time, since none of my machines runs Windows at the moment (for the class, I’m running Windows 10 in VMWare on my primary Linux laptop).

The class opened with this slide, which I think bodes very well:

Categories
Hardware What I’m Up To

Unboxing the Motorola One Hyper

Yeah, yeah, I know the plastic screen covering for shipping is still on. Tap to view at full size.

In my opinion, when it comes to getting the best bang and build quality for the buck on an Android phone, check out Motorola’s phones. Lenovo — the same company who took Right now, they’ve got discounts on many of their mobiles, including $100 off any of the Motorola One family — the Action, the Zoom, and the one I got: the Hyper.

With the discount, the unlocked Hyper goes for US$299 when purchased directly from Motorola. That’s a pretty good price for an Android phone with mid-level specs.

Released on January 22, 2020, the Hyper features the Qualcomm Snapdragon 675 chipset, which was released in October 2018. This chipset features 8 cores:

  • 2 high-performance 2 GHz Kryo 460 Gold cores
  • 6 high-efficiency 1.8 GHz Kryo 460 Silver cores

Its GPU is the Adreno 612, and it has an X12 LTE modem with category 13 uplink and category 15 downlink.

Here’s a quick video review of this chipset from Android Authority’s Gary Sims:

As a point of reference, this chipset is also used in Samsung’s Galaxy A70, A60, and M40, and LG’s Q70.

This chipset puts the Moto One Hyper firmly in the middle of the road of current Android offerings, making it a reasonably representative device for an indie Android developer/article author like Yours Truly.

The phone’s “Hyper” name is a reference to its “hyper charging” — high-speed charging thanks to its ability to take a higher level of power during the charging process. It comes with an 18 watt charger (the same level of power provided by the current iPad Pro and iPhone 11 chargers), but if you have a 45 watt charger handy, the phone’s 4,000 mAh battery will charge in just over 10 minutes.

The phone also comes with the usual literature and SIM extraction pin:

There is one additional goodie that I didn’t expect: a clear, flexible, rubber-like plastic case. It’s nothing fancy, but it was still a nice surprise.

I’ll post more details about the phone as I use it and start doing development work (native stuff in Kotlin, as well as some cross-platform work in Flutter, and maybe even Kivy).

Categories
Current Events Tampa Bay

The “Tampa Teen” behind the “Twitter Hack”

The good news: Tampa Bay is the location of one of the biggest high-tech stories of the year!

The bad news: It’s because the breach that everyone calls the “Twitter Hack,” in which several verified accounts were used to scam people out of an estimated $100,000 in a single day, has been traced to a 17 year-old Tampa resident named Graham Ivan Clark. His story has been published in the New York Times article, From Minecraft Tricks to Twitter Hack: A Florida Teen’s Troubled Online Path.

The scam

The scam involved hijacking the Twitter accounts of celebrities, politicians, businesspeople, and other “blue check” people and using them to post tweets like the one below:

It didn’t matter that offers to “double your money” from Jeff Bezos, Barack Obama, Kanye West, and Kim Kardashian were simply too good to be true, even with the appeal of “giving back” to help ameliorate the suffering caused by COVID-19. Enough people with enough disposable income to invest in cryptocurrency were fooled.

The exploit

In order to pull off the scam, he would need access to these “blue check” accounts. There are a handful of ways to do it:

  1. With Twitter, you can log in with your username (which is publicly known) and a password. A weak password — that is, one that’s easily guessed, or one of those lazy passwords that too many people use — makes for an easy target. This might work for accessing one or two accounts, but not for a lot of them.
  2. Exploiting some weakness in Twitter’s software or infrastructure to gain access to their system. In spite of the stories you hear about hackers, this is a high-effort, low probability-of-success scenario.
  3. Social engineering: Fooling or intimidating the people who run, administer, or maintain a system in order to get them to let you into that system, or provide enough useful information to do so.

The initial reports indicate that Clark took the social engineering route and convinced someone at Twitter that he was a fellow employee, and as a result, got access to a customer service portal. Vice’s Motherboard posted some redacted screenshots of what this portal:

This shouldn’t be all that surprising — the human element is often the most “hackable” part of a system:

In the end, this scam is best described as “high-concept, low-skill.” In fact, the way they went about it has been described as “extremely sloppy.”

The Bitcoin addresses listed in the tweets turned out to be traceable to Coinbase accounts belonging to Clark’s accomplices, who registered them with their real driver’s licenses. One of them even did so from their home IP address, an amateur move that’s been a staple of computer heist movies and TV series since WarGames, and it was a key plot point in Hackers.

The NYT TLDR

You should read the New York Times piece on Clark, but if you want the highlights, here they are:

  • He is 17 years old, a recent high school graduate, and he lived by himself.
  • A Minecraft player since the age of 10, Clark became known as “as an adept scammer with an explosive temper who cheated people out of their money,” according to people who knew him.
  • A former Minecraft friend said this of Clark: “I knew he really wanted money and he was never in the right mind-set. He would do anything for some money.” Another friend describes him this way: “He’d get mad mad. He had a thin patience.”
  • Family life, as the NYT puts it: “Mr. Clark and his sister grew up in Tampa with their mother, Emiliya Clark, a Russian immigrant who holds certifications to work as a facialist and as a real estate broker. Reached at her home, his mother declined to comment. His father lives in Indiana, according to public documents; he did not return a request for comment. His parents divorced when he was 7.”
  • In 2016, he played in Hardcore Factions — Minecraft with PvP and all the baggage that goes along with it — and built a YouTube audience while doing so. He also scammed fellow Minecraft players: “One tactic used by Mr. Clark was appearing to sell desirable user names for Minecraft and then not actually providing the buyer with that user name. He also offered to sell capes for Minecraft characters, but sometimes vanished after other players sent him money.”
  • Under the handle “Open”, he gained a reputation for being “a scammer, a liar, a DDOSer”:

  • Of course, he eventually migrated to Fortnite.
  • Around the same time, he joined the OGUsers forum. The NYT: “His OGUsers account was registered from the same internet protocol address in Tampa that had been attached to his Minecraft accounts, according to research done for The Times by the online forensics firm Echosec.” On OGUsers, he also disappointed customers by failing to meet his end of the bargain after being paid.
  • Want to guess where in Tampa he lives? The NYT posted this photo of his apartment. Let’s see if any of you have good satellite image/map image search-fu:
Clark’s apartment. Tap to see at full size.

(My guess is Wesley Chapel, judging from the architecture, artificial lake, and the availability of “stroads” in which to open up the throttle on his BMW. What do you think?)

  • He moved from Minecraft to Bitcoin.
  • He was also into SIM swapping, again to relieve victims of their cryptocurrency. Last year, he was involved in the theft of almost $900K worth of Bitcoin, when hackers SIM swapped the phone of a Seattle tech investor. By doing so, they gained access to several of the investor’s accounts. Clark was one of them. Despite being caught by the Secret Service, he wasn’t arrested because he was a minor.
  • He made enough money to live in an apartment by himself, drive a BMW 3 series, maintain an expensive gaming setup, and own a gem-encrusted Rolex.

Local news could use some local techie help

In my old home town of Toronto, whenever a story like this broke out, the local news stations went to the tech community to get background information. I was often one of those community members consulted:

Unfortunately, there isn’t such an arrangement here in Tampa, so local news’ coverage has had me rolling my eyes. I suppose it made for some good entertainment:

Maybe we Tampa Bay techies need to get on their radar and become go-to people for information when stories like this arise.

Photo: The Undercroft sign, featuring the Undercroft’s “mascot” — a stag standing upright in a suit, leaning jauntily against an umbrella, walking stick-style.At the very least, local news should have The Undercroft on speed dial to provide some much-need background info and context when the story’s about a system being compromised.