Day-0 of an InfoSec Career | TechSNAP 209

Posted on: April 9, 2015

Posted in: Featured, TechSNAP, Video

Comment on This Video

Share This Video

Embed This Video

Day-0 of an InfoSec Career | TechSNAP 209

Is it possible to make a truly private phone call anymore? The answer might surprise you. Cisco and Level 3 battle a huge SSH botnet & how to Build a successful Information Security career.

Plus a great batch of your questions, a rocking round up, and much, much more!

Thanks to:


DigitalOcean

Ting

iXsystems

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Foo

— Show Notes: —

How to make secret phone calls

  • “There’s a lot you can find in the depths of the dark web, but in 2013, photographer and artist Curtis Wallen managed to buy the ingredients of a new identity”
  • “After purchasing a Chromebook with cash, Wallen used Tor, virtual marketplaces, and a bitcoin wallet to purchase a fake driver’s license, insurance card, social security number, and cable bill, among other identifying documents. Wallen saw his new identity, Aaron Brown, as more than just art: Brown was a political statement on the techno-surveillance age.”
  • The article sets out the steps required to conduct untraceable phone calls
  • The instructions are based on looking at how CIA OpSec was compromised by cell phones in the cases of the 2005 extraordinary rendition of Hassan Mustafa Osama in Italy and their surveillance of Lebanese Hezbollah
  • “using a prepaid “burner” phone, posting its phone number publicly on Twitter as an encrypted message, and waiting for your partner to decrypt the message and call you at a later time”
  • Analyze your daily movements, paying special attention to anchor points (basis of operation like home or work) and dormant periods in schedules (8-12 p.m. or when cell phones aren’t changing locations);
  • Leave your daily cell phone behind during dormant periods and purchase a prepaid no-contract cell phone (“burner phone”);
  • After storing burner phone in a Faraday bag, activate it using a clean computer connected to a public Wi-Fi network;
  • Encrypt the cell phone number using a onetime pad (OTP) system and rename an image file with the encrypted code. Using Tor to hide your web traffic, post the image to an agreed upon anonymous Twitter account, which signals a communications request to your partner;
  • Leave cell phone behind, avoid anchor points, and receive phone call from partner on burner phone at 9:30 p.m.—or another pre-arranged “dormant” time—on the following day;
  • Wipe down and destroy handset.
  • “The approach is “very passive” says Wallen. For example, “Posting an image to Twitter is a very common thing to do, [and] it’s also very common for image names to have random numbers and letters as a file name,” he says. “So, if I’ve prearranged an account where I’m going to post an encrypted message, and that message comes in the form of a ‘random’ filename, someone can see that image posted to a public Twitter account, and write down the filename—to decrypt by hand—without ever actually loading the image. Access that Twitter account from Tor, from a public Internet network, and there’s hardly any trace that an interaction even happened.””
  • “This is not easy, of course. In fact, it’s really, comically hard. “If the CIA can’t even keep from getting betrayed by their cell phones, what chance do we have?””
  • “Central to good privacy, says Wallen, is eliminating or reducing anomalies that would pop up on surveillance radars, like robust encryption or SIM card swapping. To understand the risks of bringing unwanted attention to one’s privacy practices, Wallen examined the United States Marine Corps’ “Combat Hunter” program, which deals with threat assessment through observation, profiling, and tracking.”
  • “Anomalies are really bad for what I’m trying to accomplish—that means any overt encryption is bad, because it’s a giant red flag,” Wallen said. “I tried to design the whole system to have as small a footprint as possible, and avoid creating any analyzable links.”
  • “I was going out and actually buying phones, learning about different ways to buy them, to activate them, to store them, and so on,” said Wallen, who eventually bought a burner phone from a Rite Aid. “I kept doing it until I felt like I’d considered it from every angle.”
  • “After consulting on commercially available Faraday bags, Wallen settled on the Ramsey Electronics STP1100
  • Wallen cautions his audience about taking his instructions too literally. The project, he says, “was less about arriving at a necessarily practical system for evading cell phone tracking, than it was about the enjoyment of the ‘game’ of it all. In fact, I think that it is so impractical says a lot.”
  • “Bottom line,” he adds. “If your adversary is a nation state, don’t use a cellphone.”
  • Guide to creating and using One-Time Pads
  • John Oliver: Government Surveillance — Interview with Edward Snowden

Cisco and Level 3 battle a huge SSH botnet

  • “Talos has been monitoring a persistent threat for quite some time, a group we refer to as SSHPsychos or Group 93. This group is well known for creating significant amounts of scanning traffic across the Internet. Although our research efforts help inform and protect Cisco customers globally, sometimes it is our relationships that can multiply this impact. Today Cisco and Level 3 Communications took action to help ensure a significantly larger portion of the Internet is also protected.”
  • “The behavior consists of large amounts of SSH brute force login attempts from 103.41.124.0/23, only attempting to guess the password for the root user, with over 300,000 unique passwords. Once a successful login is achieved the brute forcing stops. The next step involves a login from a completely different IP ranges owned by shared hosting companies based out of the United States. After login is achieved a wget request is sent outbound for a single file which has been identified as a DDoS rootkit. “
  • “Once the rootkit is installed additional instructions are downloaded via an XOR encoded file from one of the C2 servers. The config file is largely constructed of a list of IP addresses that are being denied and filenames, and files to be deleted.”
  • “At times, this single attacker accounted for more than 35% of total Internet SSH traffic”
  • Level 3 then worked to block the malicious traffic
  • “Our goal, when confirming an Internet risk, is to remove it as broadly as possible; however, before removing anything from the Internet, it is important to fully understand the impact that may have to more benign hosts. To do this, we must understand more details of the attacker’s tools and infrastructure.”
  • “As part of the process, Level 3 worked to notify the appropriate providers regarding the change. On March 30th SSHPsychos suddenly pivoted. The original /23 network went from a huge volume of SSH brute force attempts to almost no activity and a new /23 network began large amounts of SSH brute forcing following the exact same behavior associated with SSHPsychos. The new network is 43.255.190.0/23 and its traffic was more than 99% SSH immediately after starting communication. The host serving the malware also changed and a new host (23.234.19.202) was seen providing the same file as discussed before a DDoS Rootkit.”
  • “Based on this sudden shift, immediate action was taken. Talos and Level 3 decided to remove the routing capabilities for 103.41.124.0/23, but also add the new netblock 43.255.190.0/23. The removal of these two netblocks introduced another hurdle for SSHPsychos, and hopefully slows their activity, if only for a short period.”
  • “For those of you who have Linux machines running sshd on the open Internet, be sure to follow the best practice of disabling root login in your sshd config file. That step alone would stop this particular attacker from being successful in your environment.”
  • Remote root login should never be allowed anyway
  • Hopefully this will send a clear message to the providers that allow these type of attackers to operate on their network. If you don’t clean up your act, you’ll find large swaths of your IP space unusable on the public internet.

How to Build a Successful Information Security Career

  • A question I often get is “how do I get into InfoSec”
  • Myself, not actually being an InfoSec professional, and never having really worked in that space, do not have the answer
  • Luckily, someone who is in that space, finally wrote it all down
  • “One of the most important things for any infosec professional is a good set of inputs for news, articles, tools, etc.”
    • So, keep watching TechSNAP
  • Basic Steps:
  • Education (Sysadmin, Networking, Development)
  • Building Your Lab (VMs, VPSs from Digital Ocean)
  • You Are Your Projects (Build something)
  • Have a Presence (Website, Blog, Twitter, etc)
  • Certifications (“Things have the value that others place on them”)
  • Networking With Others (Find a mentor, be an intern)
  • Conferences (Go to Conferences. Speak at them)
  • Mastering Professionalism (Dependability, Well Written, Good Speaker)
  • Understanding the Business (Businesses want to quantify risk so they can decide how much should be spent on mitigating it)
  • Having Passion (90% of being successful is simply getting 100,000 chances to do so. You get chances by showing up)
  • Becoming Guru
  • It is a very good read, broken down into easy to understand steps, with the justification for each requirement, as well as some alternatives, because one size does not fit all
  • Related, but Roundup is already full enough: How to Avoid a Phone Call from Brian Krebs – The Basics of Intrusion Detection and Prevention with Judy Novak

Feedback:

Round Up:

Question? Comments? Contact us here!