October 20, 2016 Leave a comment

If you’re not familiar with the term phishing, it is an attempt to fraudulently obtain sensitive information such as account login and passwords, Social Security numbers, credit card numbers, account numbers, etc.

The most common form of phishing is through the use of email, but it can also happen over the phone. Phishing has become one of the most – if not the most – common ways criminals obtain sensitive information. As IT departments have locked down computer systems, attackers have found that humans are often the weakest link in the security chain. Why spend hours trying to find a way to break into a computer when you can just ask the human using it to provide the information you want?

The common thread in phishing is the attackers will try and come up with a believable scenario and ask you to do something. This may be as simple as them emailing you a link asking you to reset your email password, and when you click on the link you go to a website that looks just like the real one. Except it isn’t.

Cloning a website has become an easy process for an attacker to do. There are easily obtainable tools to copy websites, for example Some techniques even forward you on to the real website so you don’t become suspicious when your login doesn’t work.

Sophisticated Attacks

Unfortunately, there isn’t an easy solution to this problem. As time has gone on the attacks have become more and more sophisticated. Long gone are the days when phishing attempts used poor grammar and punctuation, which served as a red flag to alert you that something wasn’t quite right about that email asking you to reset your bank account password.

Now, we see ever more sophisticated and pointed attacks, often referred to as spear phishing. The attacker will find out the names of the most important individuals, the college president for example. They will then find who reports to these executives and impersonate them with requests.

An example of a college that fell prey to this scheme involved an attacker that impersonated the president. They asked an employee in payroll to send them the W2s of the college’s employees so they could review them. The employee, not wanting to question or upset who they perceived as their superior, complied with the request, and sent the attacker copies of the employees’ W2s.

Security Awareness Training

There is help. The California Community Colleges (CCC) Information Security Center offers free online Security Awareness Training for all employees of the CCC, and phishing awareness is part of this training. You can sign up for the training at our website.

In general, though, here are some tips to avoid being the victim of phishing scams:

  • An IT department should never ask you to reset your password through email.


  • An IT department should never ask you for your password over the phone.


  • You should never send any sensitive information through regular email. This includes Social Security numbers, credit card numbers, account numbers, and any documents that include these. Email is not encrypted and should never be used to send and receive such sensitive information.


  • Don’t open documents you are not expecting to receive, and if you are ever asked to enable macros after opening a document don’t do it. This is a common way an attacker will try and infect your computer with malware.


  • Never go to your bank’s website by clicking on a link from an email, as it may be fraudulent.


  • If you receive a message that doesn’t look right to you, report it to your local IT department.
Categories: CCCTechEDge Article

Security Matters: Password Security

September 24, 2016 Leave a comment

Password. That’s a cringe-inducing word. What a pain; you constantly need to change your passwords. You have to use mental gymnastics to remember all of them, and don’t get me started on special characters. I hate passwords.

Yes, I am the Chief Information Security Officer of a large organization, and I can admit I hate passwords just as much as anyone else. Now, I know they are extremely important but, in my opinion, they are often mismanaged.

When IT administrators put so many restrictions on passwords, we actually drive people to even more dangerous practices—like writing down your passwords on a sticky note, and using the same password for all the things we log in to. Although often-hated passwords are a necessity, I would like to explore passwords and prove the pain can be eased.

Password vs. Passphrase

First, let’s take a look at password complexity. The default Microsoft Windows password policy requires eight characters, including one uppercase letter, one lowercase letter, one number and one special character. By this rule, “Password1!” is an acceptable password. Unfortunately, from past experience, this is exactly the kind of password I see being used. It follows the pattern: an English word, a number, and a special character, in that order.

Explaining the reasons why this approach is unsafe will be the subject of another article but rest assured, with this type of password, if there is a security compromise, the attacker can often get the plain-text password of a large majority of an organization.

A much better approach to ensuring password security is to remove the complexity requirements and instead require much longer passwords called “passphrases”. I know what you are saying. “I have to remember a longer password and that is better!?!?” Hear me out: Yes, it is. A passphrase is easier to remember.

Think about it. Which would be easier to remember, the password, “HaRdS1#!”, or the passphrase, “I like the flowers in the springtime?” I think we can all agree the second one is much easier to remember, because this is how our brains are wired. A plain-English phrase is something we have been memorizing since childhood.

Something that is not obvious unless you are a mathematician is that the passphrase is also much more secure. It is harder to break once the password is scrambled into the form it is stored on the computer. An attacker can brute force an eight-character password in just about a day, but a 15-character passphrase would take a near infinite time with the computer power available today.

Passwords In Practice

Now, let’s take a look at password re-use. I know it is tempting to come up with a good password and use it on all the websites we use. This is a dangerous practice because websites are being breached on a daily basis, and passwords are not always stored securely. There have been many large sites that have had breaches with all their user accounts compromised and publicly posted on the web.

Take a look at the website This site will show you if your account has been compromised by some of the more recent public breaches. The danger is that once your email address and password are exposed, criminals can use it to try to log in to other sites. For example, if your Dropbox password is the same one you use for online banking then you should change it immediately, as Dropbox had a breach back in 2012 that has just now been discovered.

This is why I recommend the use of a password manager. The one I use is LastPass but there are several excellent ones out there. The idea of a password manager is that it will generate a unique random password for each website that you need to log in to. There is one master password that you need to remember to unlock all the other passwords. This password is used to encrypt all the passwords so they are only ever useable once you have unlocked them with your master password.

Therefore, a password manager lets you have unique passwords for each site while only needing to remember one password. If one of your accounts is ever compromised, the attacker won’t be able to use your password on another site to perform some nefarious activity. All you have to do is visit the site that was compromised and use the password manager to create a new secure, random password.

Two Steps Are Better Than One

Finally, let’s look at two-factor authentication. Two-factor authentication uses something you have, which can be a device you plug in to your computer, a text message that is sent to your phone, or an application on your phone, to authenticate.

This, in my opinion, is the ultimate solution. You can let everyone use a much easier-to-remember shorter password, and if it is ever compromised the attacker still can’t get into a system without the device that you carry with you.

For example, someone gets your username and password for your bank account, but you have two-factor authentication set up. So, now when the attacker tries to log in to your bank account, you get a notification on your phone that someone is trying to log in to your bank account, and the mobile app asks you to press the “Confirm login button” to allow the login to continue.

Since you are not trying to log in to your bank account, you would just click “No” on an app, and go change your bank password. With the disaster averted, you can now contact your bank and report the incident, knowing your hard-earned money is still safe.

Intro To CIS Critical Controls

August 25, 2016 Leave a comment

I have been asked many times, “What are reasonable security controls?” This is a hard question to answer, as what I consider to be reasonable isn’t what others would. As an information security officer, I tend to be very risk-averse.

After all, information security is what I refer to as a “weak link” problem. What I mean by that is it only takes one weak link for an attacker to be able to gain a foothold into a network.

Until recently, there were no California-specific regulations or legal opinions to be able to point to about how to prevent network attacks. There are of course the California data security breach notification laws—the first of their kind in the nation—that explain what an institution has to do after a breach occurs. However, there was nothing that said how you should be protecting the data that you are collecting in the first place.

That finally changed this year when the State Attorney General of California published the 2016 California Data Breach Report. In the report, Attorney General Kamala Harris gives a set of five recommendations to prevent the most common breaches, thus finally giving us a legal definition of “reasonable security controls.”

First Line Of Cyber Defense

The attorney general’s first recommendation is to implement the Center for Information Security’s Controls for Effective Cyber Defense, also known as the CIS Critical Controls. The CIS Critical Controls consist of 20 control categories, each with a subset of controls. They are very straightforward and easy to follow. I would encourage everyone to download and read them.

These controls really do work and this should now be the standard that you are working on implementing at your college. The controls are prioritized in order of importance, and if you are implementing them you should start with number one and work your way down.

You will quickly realize that, to be able to implement these controls properly and still maintain the openness of a college campus, you may need to do some re-architecting. Take for example the first control, “Inventory of Authorized and Unauthorized Devices”: If you look at a typical college campus, there are many hundreds if not thousands of devices that come and go in a single day. It is nearly impossible to be able to know what every device is and who is using it.

However, if your network is properly segmented into different trust levels then the problem becomes a lot easier to tackle. You should be able to securely configure your network to disable free access in the most secure segments, where each device needs to be registered and tightly controlled, and block access to outside devices.

New Legal Security Standard

There could also be added liability if your institution isn’t at the very least working toward implementing the CIS Critical Controls. This will now become the gold security standard for the state of California, and in effect becomes the de facto civil law of California, until such time as the state legislature decides to formally weigh in on this subject.

If the California Data Security Breach Reporting law is any indication, other states attorneys general may follow suit and release similar opinions on data breach prevention. So if your institution is breached in the future and the CIS Controls are not in place, a resulting lawsuit could bring the possibility of increased civil fines. The judge may see the lack of implementing the CIS controls as negligent. I do not claim to be a lawyer and you should ask your district’s general counsel for their take on the liability aspect of not implementing the attorney general’s recommendations.

Virtual Host Enumeration for fun and profit

April 15, 2016 Leave a comment

The following will allow you do virtual host discovery using the bing API

Step 1: Find the web servers you are interested in using NMAP

nmap -PN -p 80 –open -oG – | awk ‘$NF~/http/{print $2}’ > webservers

Subsitute the IP address range you want in the above command and whatever you want the file name to be

Step 2: If you don’t already have a bing API key get one. The free API key allows you to do 5,000 transactions per month. If you need to do more there are paid tiers.

Step 3: I found a python script that works, its usage is a little bit funky, so I will be modifing it when I find some time.

Step 4: Create a text file and put your API key into it. IE VI key.txt

Step 5: Run the following command to search bing for the IP addresses in the file you created in step 1, this will output a text file called URLS that can then be used with eyewitness

cat webservers | python -b key.txt | awk ‘{ print $3 }’ > URLS

Step 6: If you don’t already have Eyewitness to capture screen shots down load it

git clone

Step 6: Run eyewitness to get screen captures of all the virtual hosts
./ –web -f URLS

Categories: Uncategorized

Hostapd Backtrack 5r3

August 29, 2012 1 comment

So I am setting up a Backtrack 5r3 system to do some mobile app assessment.  I want to set up the system as a wireless access point and be able to capture all the traffic.  To do this I am using hostapd.  Backtrack has this as a standard package available via:   apt-get install hostapd

Unfortunately this is an older version of the program, 0.6.9 I believe, and it would not work with the ath9k I have in this system.  The program threw an error each time I tried to run it.  The latest stable build of hostapd is 1.0 and is available to download here.  The problem is that you need to install the libnl-dev package in Backtrack before it will cleanly compile. After downloading and compiling hostapd 1.0 everything was good to go.  So here are the commands to run for all you script kiddies out there.


apt-get install libnl-dev


tar –xzvf hostapd-1.0.tar.gz

cd hostapd-1.0/hostapd

cp defconfig .config


for i in hostapd hostapd_cli; do cp -f $i /usr/local/bin/$i; done


Congratulations you now have a fully functioning hostapd 1.0 install that will work with the ath9k wireless chipset on Backtrack 5r3.

Categories: backtrack


July 22, 2009 Leave a comment

I am playing around with konboot after first hearing about it on the Hak5 podcast.  If you haven’t heard about it, it is a boot disk you can create on a floppy, CD or USB drive (see Irongeek’s site for USB instructions). The disk changes the windows or Linux kernel on the fly while booting to allow you to bypass the login password.  In windows you just use any valid user name and a blank or garbage password, you will then be logged in as that user and can access all their files.  So naturally you will probably want to try the local administrator user which will allow you to access all files on the computer.  In Linux you will use the user name kon-usr and no password.  This will give you full root access on the Linux machine.

I have found it works well if the system is not muti-boot.   On my systems which are all multi-boot it would only work on one system and only on one OS which happen to be EEEbuntu.  My other laptop gave me error about the cylinder number being too high like the old school days of LILO where the boot image had to be below cylinder 1024. I am assuming this is the same issue as the days of old.  Also a caveat don’t use Konboot to login to a domain account on a computer that is connected to the network.  This will disable the account on the domain and won’t allow you to login.  In most environments user credentials are cached in case the network goes down.  So air gap the computer before using a domain account.

Remediation steps are fairly simple.  Lock the bios with a password and only allow the system to boot from the hard drive.  This should already be in the check list of task to perform when deploying a new PC. Since this type of threat isn’t new kon-boot just make it a little simpler to access the PC than loading up a live linux distro like knopix.  If there is any sensitive information on the hard drive encryption should be used of course since if someone steals the computer or hard drive its game over.  With the breach notification laws in most states that is not a fun proposition.

Categories: Geeky stuff, Security

Getting ride of volumen group that doesn't exsist in linux

July 17, 2009 Leave a comment

I was setting up a test VM with 4 one TB SAN LUNS.  After successfully creating and testing the VMware image I blew it away without touching the LVM. After greating the production image I tried to add the LUNS back to the LVM and I of course got errors when adding the LUNS to the LVM.  The meta data for the old volume group was still there and the OS refused to add the LUNS to the existing volume group.  I then tried to remove the volume group with the vgremove but since the devices with the UUIDs themselfs were long gone I could not do it.

I finally found a very simple solution just DD the damn things with zeros.  That will blow out all the metadata. So for each lun I ran

if=/dev/zero of=/dev/XXX bs=512 count=5

Probably only needed a count=1 but what the hell I don’t care I didn’t have anydata on the LUNS anyways.  After that  running lvscan came back clean with no orphaned UUID’s and I was able to initialize the LUNS again and add them to the new volume group.

Categories: Geeky stuff