Silicon Shecky: IT News, Opinions, and Reviews

The one about banking passwords…

March 5, 2021 By Michael Kavka Leave a Comment

The world of cybersecurity understands the need for secure passwords. While passwords with special characters, numbers and both capital and lower case letters help make them more secure, length is a factor. These reasons, alongside with using unique passwords are why we recommend password managers. It has been a long running feud with sites to get them to allow some of these factors, especially Banking sites. The most common things they have issues with is long passwords and special characters, and some of this stems from legacy systems that might still be in production. Mainframes that do the actual work tend to have less secure requirements (I have seen this in many companies that have mainframe systems for specific things).

There is now another issue into the mix, and that is financial software. I recently was trying out Quicken, which I had used years before, to see if I could recommend it to someone I know after they had asked about it. My prior experiences with it had been positive, and I was glad to see that things looked pretty much the same, but updated and a bit easier to use. That was until I went to enter one financial institutions password to get transactions. Quicken itself has decided that you should use only up to a 12 character password (I use much longer ones), and will not work with longer passwords. Not only do they do this, but the error message puts the blame on the financial institutions, which is an outright lie.

When I talked to support they apologized and said there is nothing that can be done at this time to correct the issue. That is their choice, and I will tell the person who asked me about it, not to use it for security reasons at this time. What worries me is the every day person who will believe the lies coming from Quicken on this. The amount of breaches, and security of online accounts, especially financial, is awful, and many banking sites still have issues with MFA (and those that do have MFA force SMS and do not allow for authenticators or Hardware dongles). Having a third party dictate less secure passwords is wrong for overall security.

We have a difficult enough time with security, we do not need companies forcing us to be less secure than we need to be.

Holiday CTF review

January 14, 2021 By Michael Kavka Leave a Comment

With the holiday season behind us so are the yearly holiday themed CTF challenges. I participated in 2 of them , TryHackMe’s Advent of Cyber and SANS Holiday Hack Challenge.

Going into TryHackMe’s Advent of Cyber I was not sure what to expect. I had been using TryHackMe off and on for learning. I had found them a bit easier to navigate and honestly more my speed right now compared to Hack The Box. The first thing about it was the format had not really changed from their normal learning paths except for one thing. They supplied a browser connected attack box if you chose to go that route. If you were not a paying member of TryHackMe you had to use that browser based box, otherwise you could use your OpenVPN connection and use your own VM/System for doing the challenges. The browser attack box I found a bit painful to use due to lag. Booting it up you were warned would take a bit, but once up it was slow responding for me. Also it split my browser in half, and no real good way of resizing. The minimum to help out with this would have been being able to open the attack box in a new tab. This would have minimized scrolling and not having the desktop real-estate that many would be use to having. It also would have stopped the constant side scrolling back and forth which causes redraws of the desktop and slows the process down.

The challenges on the other hand were a great tool, and fun. There was a whole Santa’s been hacked theme going on. The idea was one topic to learn (multiple questions) per day. So one day you would be using nmap, one day burp, one day something else. 25 days, 25 direct topics. The Advent style of this meant you do not have to spend hours upon hours on the CTF. Most days took me no more than 45 minutes to go through. Also, a top level topic would span days. so you would get multiple days of web attacks, with each day covering a different thing (command injection, burp, slqi etc…), and it would follow that top level topic day to day. Each topic could build upon the prior ones at times, or be stand alone. The accompanying video for each day was a nice added touch for people that learn better that way, and while they did get into the topic a little bit more, and occasionally give the thought process of the person doing the video, the basically amounted to reading the actual written instructions/explanations of the topic written before you get to the actual CTF questions. At the end of the video though they did do a walkthrough. This was nice if you got stuck, but since it gave the answers in most instances it could be use to bypass actually doing the challenge itself. Rating Advent of Cyber on a scale of 1-10 I would give it a solid 8.

Kringlecon, otherwise known has SANS Holiday Hack Challenge is a different creature. Yes it is a story driven type CTF, with a web based interface. It also has mini terminals for you to use to solve the challenges so you do not need a VPN setup at all. There are challenges for every skill level and this year they added a Discord server where there was rooms for each individual challenge so you could get help if needed. Most challenges had multiple ways to figure them out, and there was a wide variety of challenges included. The intro to Linux challenge was a good mini-version of what I got when doing my SANS504 class last year. The intro to scapy again is a great base tool learning challenge. There were 12 main objectives and a number of side ones. Overall I solved 7 of the main Objectives and a number of the side ones. I had unlocked 4 of 7 parts of the narrative. This was better than I had done the prior year, so while not finishing everything, I was very satisfied. The talks that lined up with objectives worked well. As it was free flowing and everything there at once, it was also easy to get lost for hours on end. I spent 2 hours one the scapy intro only to run into a problem where I accidently deleted the file I needed on the final question and had to start again. Moving around was tough at times, and even tougher if you did not use the option to make other players disappear from your screen. The other advantage is while the competition is over, you can still go and do the challenges(and all the past Holiday Hack versions also). One thing missing is a way of saving your progress when in a challenge, as going out to get hints or look at hints you got from the elves meant restarting the whole challenge. Rating Kringlecon on a scale of 1 to 10 again it gets a solid 8.

One last thing is prizes for these. With the Holiday Hack Challenge they choose from write ups of the event that are sent in by a specific date, which has passed at the time of this post. Advent of Cyber, for each day you completed you got your name entered into a drawing for prizes, this also has passed. The write up method is nice since part of security is being able to write what you have done and how you accomplished it, especially on the red team side of things. Just getting entered into a drawing on the other hand makes the prizes available to a wider range of people, including those who are not good at write ups.

I do recommend both, although it looks like Advent of Cyber is not available anymore, but there are other leaning paths, all are in their CTF style, at TryHackMe (they just added a Blue Team based path). I do look forward to seeing what they come up with for the 2021 challenges.

Solarwinds Sunburst: Haven’t We Been Here Before?

December 30, 2020 By Michael Kavka Leave a Comment

Timing is not everything, it is the only thing. I really believe that and have for a good portion of my life. A little bit off, a little bit early or late and things do not happen, things can be missed, and who knows what the result would have been. How this relates to the title of this post is simple, the past tends to repeat itself and I currently am seeing that through a book that I am reading.

The book is called Sandworm by Andy Greenberg. It covers a Russian hacking group that has been attributed to NotPetya amongst other attacks on the Ukraine. We all know about NotPetya, remember how it crippled a shipping company called Maersk. All this happened a month after Wannacry hit. There are many similarities I am noticing as I watch those who are unravelling the Solarwinds Sunburst attack, and what has been revealed about how the Sandworm group operates, namely leading into the NotPetya attack. Surprisingly, I have not seen mention of this on twitter, or in any news reports/blog posts on the Sunburst attack.

Mr. Greenberg, in his book Sandworm had interview Amit Serper of CyberReason about his reverse engineering of NotPetya and subsequent investigation of the malware and attack. The short version is that it was a supply chain attack that used M.E. Doc’s own update server to install a compromised update. The NotPetya attack happened in June of 2017, but Mr. Serper found a webshell on those update servers going back to November 2015. So they were on the network for at least a year and a half before the attack.

Let us take a look at what has been revealed about Sunburst. It is a supply chain attack that used Solarwind’s own update servers to install a compromised update. Currently the information security world sees October 2019 (just over a year) as the latest that Solarwinds was compromised (while that timeframe is accepted right now, since the investigation is still going on I do not want to say that it is definitive). Now go back a paragraph and re-read what I learned about NotPetya. Sounds similar, doesn’t it?

I have not yet finished reading Sandworm, but other interesting tidbits that I read included Robert M. Lee of Dragos(among others) wanting to warn the ICS world about this type of attack due to the Ukraine blackout attacks which were also attributed to the Sandworm hacking group. It also revealed how little the U.S. Government did to warn about these types of attacks or this hacking group since it was the Ukraine that was targeted.

The timing of me reading this book is really what has brought the similarities up to me(I do recommend the book). I am not attributing the Solarwinds situation to the Sandworm group. I do not have the expertise to do that. I am saying that it looks like history might be repeating itself. I do not know if anyone else has noticed these similarities, but I assume someone else has. The question remains though, will we actually learn from this, or will this become yet another case of all this has happened before and it will happen again?