Security Chipmunks

Episode 12 - Hackers Wishlist

Edna Season 2 Episode 12

Share episode

Send us a text

Welcome to the Security Chipmunks podcast where we talk about the development of cybersecurity skills. To stay up to date in today's world you need to be resilient, that’s why as Advanced Persistent Chipmunks we keep chipping away at it.


SANS Holiday Challenge and Kringle Con -  https://www.sans.org/mlp/holiday-hack-challenge/ 


What’s new in the Discord. THM Advent of Cyber 3, join and get shiny holographic stickers. We’re encouraging and working together, answering questions. 

We have a fun Security Chipmunks Secret Santa exchange. Suggested limit is $50. Join and share joy this holiday season with your fellow hackers. The deadline to sign up is December 15th. https://discord.gg/KM7UUsgwfH

--------------------------------------------------

Wish List Ideas

https://www.hack.xxx/ - CDC blanket

https://www.zerodayclothing.com/ - Great t-shirts

EDC bag https://mountainsmith.com/products/dry-tour

Silent pocket https://slnt.com/

Yubikeys https://www.yubico.com/

Hackerboxes - https://hackerboxes.com/

Flipper zero one

https://flipperzero.one/
https://www.kickstarter.com/projects/flipper-devices/flipper-zero-tamagochi-for-hackers 
https://blog.flipperzero.one/november-update/ (Updates on the blog.)

---------------------------------------------------

Online Safety:

Keep talking with your kids about online safety, it’s an ongoing process. When major changes happen, keep the conversation going. If you create an online Minecraft server, make sure to check in with them. 


https://pi-hole.net/


Ubiquiti - employee hacker 

https://thenextweb.com/news/ubiquiti-ex-employee-hacker-whistlblower-ransom 


New Tools:

https://cvetrends.com/

https://pandastutor.com/





Socials

SPEAKER_01:

Welcome. My name is Mixed Edna Johnson, and I am here with my co-host Neil Smalley and Patrick Lowther. I'm glad to be here with you today.

SPEAKER_00:

Glad to be here. It's nice to be here.

SPEAKER_01:

So I was, uh... Looking into what challenges are coming up. We've got the Sands Holiday Challenge and KringleCon coming up. Are either of you participating in that this year?

SPEAKER_02:

I hadn't planned on it personally, but then again, I am trying to finish up some school stuff here before the end of the year.

SPEAKER_00:

Nice. Yeah, I'll probably be hopping in the Sands Holiday Challenge. That's usually a pretty solid fun time. Plus the music that goes with it. Can't beat it.

SPEAKER_01:

Yeah. True. Yep. And so in our Discord, we're working through the TriHackMe Advent of Cyber 3. So we're offering anyone that joins us in our Discord to get a shiny special security chipmunk sticker. It's shiny and holographic. So we'll be offering support and encouragement, and we'll be working together to get those challenges solved. And another thing that we're doing is the Security Chipmunk Secret Santa Exchange. This is the first year we're doing it. And we've got a suggested limit of$50. And we're getting some hackers joining in, security experts. And it'll be a fun thing to do. So we encourage you to join our Discord and join in our... Secret Santa exchange and having some fun and sharing that holiday joy this season.

SPEAKER_00:

We should do a cookie exchange too.

SPEAKER_01:

I like cookies.

SPEAKER_00:

Yeah, me too.

SPEAKER_01:

Are they real cookies or web cookies?

SPEAKER_00:

Why not both? That would be

SPEAKER_02:

pretty good. You have to authenticate with the cookie to the website to get the cookies.

SPEAKER_00:

That's actually kind of a good little idea for a holiday challenge. Kind of like with the Hack the Box challenge. We'll put together a little contest and whoever gets into the website can put in whatever they want their dead drop located and we'll dead drop them some cookies. Precisely.

SPEAKER_01:

Yeah, that sounds fun. Speaking of the Secret Santa and Holiday Gifts Exchange, we were putting together a list of some things that the hacker in your life might be interested in, like hacker gift ideas. So what were some of the things that... You wanted... Neil.

SPEAKER_02:

Oh, so... Personally, I don't think you can go without a good fanny pack as a hacker. Like, having somewhere to put all your floppy disks is an essential part of any accoutrement. And so... They call them lumbar packs, but they're really fanny packs. So Mountain Smith makes some really good lumbar slash fanny packs. So these aren't like your small jogging ones. These will actually fit like an 11 inch Chromebook or something like that typically. You'd have to double check the proportions on the pack you're ordering of course, but Yeah, they can usually carry some small items like a tablet or something like that. So it can be quite handy to have something to handle all those cables or whatever you might need to be storing in there.

SPEAKER_01:

Yeah. So I know that people in the industry, cybersecurity professionals, they love clothing. So two websites where you could get clothing from are ZeroDayClothing.com and Hack.XXX. I just did a Secret Santa exchange, a Hacker Secret Santa, and I got a Cult of the Dead Cow blanket that was from the Hack.XXX website. Very nice. It was a very soft blanket.

SPEAKER_02:

Very cool.

SPEAKER_00:

Blankets are great. I'm always a big fan of really comfortable socks.

SPEAKER_01:

Nice. All right. Being comfy is important.

SPEAKER_00:

It is. Either that or work at home attire. Pajama pants and stuff like

SPEAKER_02:

that. That's a good point. I personally last year had received a hooded bathrobe and that was pretty life changing it's like the work from home equivalent of the hacker hoodie I think

SPEAKER_01:

yeah nice very cool so I kind of have a maker spirit so one thing that I like and I've subscribed to these boxes before it's called hacker boxes and so you get like a box of electronics and you'll get like three or four projects in it and can solder it together and Sometimes there's like Arduinos and you have to code it. Yeah, so some cool things in there. Sometimes they'll have badges. Sometimes they'll have nifty tools that are handy. Neil looks so surprised.

SPEAKER_02:

That's because I think I accidentally muted Patrick by mistake.

SPEAKER_00:

I'm fine. Don't worry about it. Or, you know, since the old hackers love caffeine type of thing, there's always quite a few caffeine lovers, so like a really good... What do they call them now? It's not the Yeti, but something similar to that, like a Contigo or a Yeti or whatever.

SPEAKER_02:

Yeah.

SPEAKER_00:

Tumblers. That's what they are.

SPEAKER_02:

Tumblers, yep.

SPEAKER_00:

Yeah. Those are always really nice to have. I like the big ones, so I can just fill it up and drink. Yes. Keep

SPEAKER_01:

that caffeine going. Incredible. For

SPEAKER_02:

sure.

SPEAKER_01:

So another thing that people that are security conscious might like is YubiKeys. Those are great. That's something that you have for authentication, logging in.

SPEAKER_02:

My personal favorite, I actually just ordered one the other week. Sitting here on my desk is the YubiKey 5 NFC version. That way I don't have to struggle with finding an adapter for my phone or even getting the more expensive USB-C type one. The NFC one is not only cheaper, it lets me use it with my phone.

SPEAKER_01:

It's

SPEAKER_02:

pretty handy that way.

SPEAKER_00:

Since it's NFC, have you tried playing around with it where you could actually steal that NFC signal?

SPEAKER_02:

Not really, but then again I'm not too worried about that just because of how close I've had to get it. I'm sure you could probably boost the signal if you really tried, but it just hasn't been... a particular issue for me. I mean, if I was really worried about it, I'd get something like a silent pocket or something that makes actual lockers that you can put your phone in and stuff.

SPEAKER_00:

Yeah. Don't they make a mesh pocket as well, like a bag that has woven copper mesh in it that basically forms a Faraday cage around it?

SPEAKER_02:

Yeah, I mean, that's the idea. It's basically a Faraday bag for your phone. And there are ones that I'm my understanding is like they're actually make decent ones because I know there's lots of brands out there that um don't make ones that actually work that well. And the silent pocket is one that I've actually heard of that is supposed to actually do proper Faraday bags. I mean, at the end of the day, it's a Faraday bag, right? So if you boost the signal, it's not necessarily going to protect you, right? So it really depends on what you're trying to accomplish. But for most use cases, It should be fine.

SPEAKER_00:

The only reason why I brought that up was because one of my gadgets that I've been trying to drop hints on is the Flipper Zero. The little dolphin Tamagotchi thing that's come out. It's a wireless flipper and you can sit there and grab NFC, Bluetooth, Wi-Fi, a whole bunch of different stuff with it. It's a pretty nifty little device so

SPEAKER_02:

absolutely the only caveat I would put on that is that as one of the Kickstarter backers I've been getting their you know production logs and what not so they've really been hit hard with the supply chain shortages and so even now they're still in production of like their first run or whatever like the very first few runs so as backers, we're still way beyond even getting that initial few badges. I guess not like initial run, because they had different stages of runs that they're doing. I think I'm probably in the third stage. I think they were doing five different run versions or something. Anyway, I don't have the technical breakdown, but yeah, they were way in. Even getting the LCD screen specifically for the circuit board for it, they were waiting on that for a while. I think they finally just got those in. So yeah, it could be a bit before you actually get it, but it does look pretty darn cool.

SPEAKER_01:

So as we're getting into the holiday season, we should probably be making sure we're talking to kids about online safety again. That should be an ongoing conversation, and sometimes you think you've talked with them well enough and you've drilled it into their head plenty enough times, but find out that maybe they haven't. So I recently found out that uh my kids opened up their minecraft server and their discord server to people from the internet so we had to have a conversation about that and make some changes so that they aren't talking to some random people that they don't know

SPEAKER_02:

so i know some people talk about like how they monitor everything and they just like have everything thing locked down like how do you feel about like in terms of like parenting like are you gonna like have all your kids devices just locked down and everything's filtered and like all these web proxies and stuff or how like how do you have that conversation or like how do you approach that

SPEAKER_01:

well I have a level of trust with my kids and right now that trust has been broken a bit And so we're working on reestablishing that trust. I don't want to lock down their internet access completely. They have websites that they're allowed to visit and they're not allowed to put like their real name out online. We have certain rules that are meant to protect them from people finding out like who they are online and stuff. But I want them to also learn how to use the internet. So if they, I don't want them to like share personal identifiable information and stuff, but they also like, they use the internet for school. They use it to communicate with their friends. Like we've moved out of state. So now they don't really use Facebook. So all of their communications with their friends is like through their, films or their their games so it's I'm also like evaluating their mental health because they because of the pandemic they haven't been able to make friends where we live now so they're all like all of their friends are online so I don't want to just cut that out of their life you know because that would be really hard so it's a balance And it was a difficult event for us with that breach of trust that we had. And we'll work through it. And I'm now taking a lot more charge of their online communications. So that adds like an additional burden to me. What about you guys? What do you think, Patrick? How do you deal with your kids being online? It

SPEAKER_00:

depends. My oldest, he's 18. You know what? He can pretty much do whatever he wants within reason. I'm not going to say there's not training wheels on my own network work or guard rails or anything like that internally you know I run basically DNS guard and stuff like that and what that will do is knock down just a whole bunch of not only is ads and all that good garbage you can also set up certain resolver groups for you know devices and things like that with that and so you can actually filter the kids traffic based on that depending on the kid and how old they are and what my wife and I deem is appropriate for them they may not be able to get certain websites or anything like that things like YouTube or anything like that they all have basically sock accounts that we can use and as parents my wife and I we can go in and set like what content should be available to them on the account so it's better than just saying no YouTube or saying here's all of YouTube you know so that way you can yeah actually use within like youtube kids like those accounts and you can track and use basically like the content filtering within uh google provides to get you that stuff also with that you can then have a spare burner account um if you ever need it but

SPEAKER_01:

uh

SPEAKER_00:

yeah i mean that's typically what we do with our kid they have access to the internet but like their devices are um like all enrolled in like screen time and everything like that so we control those what they can and can't do on the devices via that they have general content filtering all that good stuff so um and then when they get mouthy or lippy you know uh dad plays around with the old ubiquity gear and uh basically applying rate limiting and stuff like that so they end up getting like a 56k connection on the wi-fi Welcome back to my day, kids. This was nice. Yeah.

SPEAKER_02:

RuneScape.

SPEAKER_00:

Yeah. Okay, your hour's up. I just

SPEAKER_02:

logged in.

SPEAKER_00:

Uh-oh, somebody's calling. You just got disconnected. Exactly.

SPEAKER_01:

Yeah, back in those days.

SPEAKER_00:

So that I mean, that's typically how I approach it. I mean, I, I have trust with the kids, but I'm also going to guard realm and like, they won't see like the full internet until, you know, that they get teenagers and stuff like that. Um, like their school devices and all that. I don't trust their school devices at all. So they are, they are pretty much, uh, client isolation mode and they can get on a, uh, with Ubiquity you can run multiple SSIDs so they have their own SSID on that that tosses them in their own little VLAN their VLAN can't talk to any of my devices or anything like that and I keep them away from my stuff because my lab environment will be doing things that they don't need to be in and I don't trust the school district to keep their stuff up to date or anything like that so yeah all that fun stuff

SPEAKER_02:

yeah so is that I think you said something about AdGuard is that AdGuard.com or DNSGuard

SPEAKER_00:

DNSGuard yeah so DNSGuard or if you wanted to do like a Cisco used to have it was OpenDNS yeah OpenDNS is very similar to it What else can you do? If you're looking for like open source solutions, things like PyHole, PyHole DNS, or PyHole, it's basically a Raspberry Pi distribution that runs DNS and DCP on it. And basically you set your devices to pull DCP from that and it will DNS black hole things for you. I think there's on PFSense, you can do DNS block as well. Yeah, there's a whole slew of technology that you can roll out for that but my home network stack like the non lab side of the house is ubiquity gear running like the access points and all that fun stuff so typically leverage a lot of that

SPEAKER_02:

oh speaking of ubiquity did you hear about the hullabaloo over there

SPEAKER_00:

yeah that's actually funny the insider 3 You know, everybody says, oh, there's no, you know, we trust our people. Well, insider threat right there. Yep. Did you see how he got caught?

SPEAKER_02:

Wasn't it like his$5 VPN had an IP leak?

SPEAKER_00:

Yes, a$5 VPN. That's just hilarious.

SPEAKER_01:

Mm-hmm.

SPEAKER_02:

Yeah, I mean, a lot of VPNs are just pay to slow your traffic down, and that's pretty much the benefit of it. Well, aside from being able to access Netflix from other countries, that's pretty much your basic use case at the end of the day for a lot of those. Unless you're rolling your own, and even then, that can be problematic.

SPEAKER_00:

To me, it's interesting. I mean, this is where I'm going to start sounding old again. But like back in the earlier days of internet relay chat, one of the popular things to do was to scan for what's called WinGates. And WinGates were basically computers running software that you can openly connect to, like an open WinGate, and basically use it as a proxy. And so you'd start scanning, like when somebody would join a channel, you could kick off a port scan on like a network and look for open wind gates. And as you gather more and more, you could use that to feed into your small botnet or anything like that that you may have. And then all of the bots that are connecting would then have a layer of protection. So when they would try to get DDoSed offline or anything like that, they'd be attacking the wind gate. And so the bot could come back on just by pulling another proxy and connecting through that.

SPEAKER_02:

Interesting.

SPEAKER_00:

Those were the days. Since we were kind of talking about internet safety and stuff around the holidays and all that, make sure as parents or as security-minded folks, you run updates on your new devices and your new toys and everything everything like that you know make sure you're right because you get a brand new like laptop and all of a sudden you don't have anything installed on there or anything like that you start browsing the internet you know and all of a sudden you got yourself a fun filled malware machine

SPEAKER_02:

so do you do like scripts or do have like playbooks or anything that you uh put up your new hardware with when you get it

SPEAKER_00:

typically what i'll do is i'll connect it to the internet only after i've installed like a bare minimum of uh like tooling available for it so things like i'm going to put on my web browsers of choice first um use like offline update from for windows uh toss windows on like that everything that can fit on like a usb key type of thing so you you know go from a known good host to here's my other stuff i can deploy up so

SPEAKER_01:

yeah good advice all right

SPEAKER_00:

or if we want to toss in a plug for Microsoft here, what you could do is run a home lab with, say, five E5 licensing in it. and then toss those new devices into an Intune. And so when you sign into it with a new device with like your small domain credentials, Intune will detect that, oh, hey, you know, you're credentialed and you have access to like the E5 licensing. So that means you can have access to Windows 10 Enterprise or Windows 11 Enterprise. And then you can have it kick off a deployment of your baseline software that way. It's all about that zero touch.

SPEAKER_02:

Yeah, that's for sure. Speaking of tooling and tools, there are some interesting tools that people put out this month or even websites. So the first one I was looking at is called cvetrends.com and so basically someone took some Twitter APIs and combined it with data from NIST's NVD. And so that's their vulnerability data feeds. And then they also combined it with the GitHub APIs. So it's now in kind of like a tweet deck, like column to view there of 10 most recent ones or something like that. And so then it breaks it down by the description and severity and then it gives you all the recent tweets relating to it so it's pretty cool in that regards

SPEAKER_01:

yeah I saw the tweet deck looking one it's nice

SPEAKER_02:

and then the other thing wasn't necessarily strictly security related but if you use python at all and you're familiar with the pandas library there's something now called pandastutor.com which will help you visualize how to use the pandas So pandas helps you work with basically databases. And so that's a way you can actually look at what connects to what else. And it's a very convenient way to visualize stuff that would normally be pretty confusing otherwise.

SPEAKER_01:

Yeah.

SPEAKER_00:

Actually, if we wanted to tie that back to security, common thing to do and and Jupyter playbooks is have Python. And so if you're doing like a browser-based type of Python, that would help you visualize some of your results and your data within those Jupyter playbooks.

SPEAKER_02:

Right, so in Jupyter, typically it'll only show the, like it says on the website, it'll only show the input data and the final result. So this helps you break down what's actually going on behind the scenes, it says, as it were. So what the code is actually doing, that's very kind of step-by-step. So I think anything that's very step-by-step can be helpful when you're just trying to learn it, or even if you're just trying to debug a problem that's complex. All right.

SPEAKER_01:

I want to remind our listeners to join us on our Discord. You can find the link to join at securityjibmonks.com. And we are participating in the TryHackMe, AdventCyber3, as well as we have the Security Chipmunk Secret Santa Gift Exchange happening. So join us so you can come have fun with us and connect with your fellow cybersecurity-minded friends.