Backlogged on my tech project list for far too long; I have finally got around to implementing SSL on this blog 🙂 Unfortunately/Fortunately I am very busy coding Ruby, training new Security Engineers, doing the needful (kindly), or generally hacking away on InfoSec projects most of the day at my place of work, Amazon.
Maker projects, Linux projects, and general tech projects are occasionally squeaked into my schedule however, if only to prevent me from going bonkers! Thanks to my friend Ashrabi I have one of the new Raspberry Pi B+ models in transit as we speak, I can’t wait to tinker with the latest hardware and see what projects can come from it.
On the Road
Over the past few weeks I have traveled to various international locations for work(England, Ireland, Germany, etc). Trips like these offer a great excuse to stress test my multiple security camera projects that I have worked on over the past few months.
In real life, I can say that Foscam’s product offerings are top-notch and worthy of the hype. The 720p unit I picked up recently off of Amazon.com supports Pan/Tilt/Zoom, Infrared night vision, dual way audio and even comes with free dynamic DNS access to boot! Checking in on my 2 crazy dogs while traveling was extremely easy using the Foscam device + ‘Tiny Cam Monitor Pro’, an android application available on the Amazon App Store for a dollar or two (but typically on sale due to it’s popularity!). I use tinycam monitor on my Kindle HDX and Note3. Password authentication, SSL certificates, and firewall configurations are all presented within the Foscam GUI Web configuration interface, helping security minded neck beards sleep easier.
Open Source software project ‘Motion’ running on top of a RaspberryPi also produced pretty great motion-detection results for me throughout my travels: catching an apartment maintenance worker entering my apartment (for a scheduled inspection), but accidentally leaving the lights on! Well thanks to Motion +RaspberryPi I was able to catch this honest mistake, inform the apartment management, and promptly had the lightbulb in question turned off, with both visits caught on camera in 720p video/stills 🙂
AppSec EU 2014
OWASP AppSec EU 2014, a yearly security conference in Cambridge, UK, took place at the end of June; yours truly in attendance. Various global security professionals made for a fantastic week of training, seminars, and tech talks that kept the audience informed, impressed and entertained. Of particular interest to me were a few DevOps based lectures, WebApp Security training platforms, BotNet/Malware related PHD researchers, and a thought-provoking speech by GNU’s own Richard Stallman.
Two BotNet researchers hit a topic that is very close to home & headlines as one of my favorite Dynamic DNS providers (NoIp) was recently taken down by Microsoft in an attempt to squash Botnets. Without prior warning from Microsoft, NoIp witnessed as some of their most popular domains were seized. Good intentions don’t always equal good results however, and Microsoft’s takedown of NoIp domains caused large scale outages in many legitimate services such as some of my own tinker raspberry pi projects. Microsoft’s approach at identifying those BotNets may not have differed from that of the Anglia Ruskin University PHD Researchers that I witnessed at OWASP AppSec EU, as a common technique for identification and analysis of BotNets increasingly relies on Domain name Generation Algorithms (DGA). DGA approach to BotNet research involves the analysis of domain names focusing on the predictiveness or randomness of a given Domain name. Humans will typically use dictionary words, their own name, company name, or something else with a somewhat predictable and ‘standard-ish’ naming convention. The approach taken by BotNet command and control (C&C) servers typically looks much different, with domain names appearing like a mash of the keyboard with long strings of random characters and numbers. If my website Domain name was “geareagaergearanea242624.ddns.net” would you still visit me? Ha! Yea I guess not :p
“Why are BotNets/Malwarez increasingly taking advantage of Dynamic DNS providers like NoIp?” you may ask.
Well, Botnets and malware have evolved through three basic stages of distribution/communication over the years. Baby botnets of the past, typically communicated via IRC channels; these are relatively easy to block from a networking approach (blocking whatever standard IRC ports that are being used via Firewall rules).
Pre-teen /angst filled bot nets, or the 2nd generation of botnets, changed their communication approach to mostly P2P communications on random high ports, this is actually how the early versions of SpyEye and Zeus communicated. P2P had its own problems, in that it was relatively easy to identify a compromised host, and within a very controlled environment such as a Virtual Machine you could purposely become part of the P2P botnet to study and analyze the behaviour of said botnet.
Finally after some growing pains and evolution, the most recent generation of BotNets (such as newer versions of SpyEye/Zeus) seem to have migrated towards http Web-based propagation and communication. BotNets using common web ports like 80 and 443 can successfully evade traditional firewall rules that block IRC, P2P and other usual suspects.
Botnets + SSL
Also, helping the BotNet master minds: newer versions of TLS support the use of certificates that call out a Domain instead of a traditional static IP address. This means that a botnet using Dynamic DNS can communicate also using SSL, and stand a pretty good chance at evading traditional detection from prying eyes! Clever Girl How about I just obfuscate my BotNet names by adopting a domain name generation algorithm/ convention using IMDB actor names? Or how about predictive/preemptively purchasing those domains to sneak up on them C&C servers!?
NoIp’s outage only lasted a few days, with the two companies coming to some sort of ‘settlement’ and a public notice placed on the homepage of NoIp apologizing for the disruption. Building security cameras, controlling botnets, or enhancing the security of my very own blog; it is funny how all of these topics flow and relate to each other in some small way or another. Occasionally it is nice to take a look back at your personal studies, work efforts, and community involvements to see that everything is connected. You always have more to learn. It’s for these reasons (and more!), that I really enjoy being a life long nerd making technology a part of every minute/hour/day.
Bikes, beers and dogs
occasionally though, some relaxation is required. So after a long month of traveling via Planes, Trains & Automobiles an injection of ‘merica was necessary after arriving back in the Pacific Northwest. To satisfy this urge, much BBQ Chicken was had from RoRos in Freemont, hoppy IPAs & shitty beer Rainer / Olympia was acquired, dogs were hugged and a gnarly mountain bike trip to Sandy Ridge Oregon sealed the deal. Now if someone can just turn down the temperature in Seattle this week would be just perfect!
Pics (or it didnt happen)
Posted from WordPress for Android