Training on IT Security

The third edition of IT Security courses in Extremadura will start soon. These courses are delivered for free by FEVAL every year and I was the teacher in the first and second edition. However, I don’t know yet if I’m going to be the teacher in this third edition. I would like to. This edition will be in Badajoz and students will learn security on networks and systems, hacking and also forensics. I think it’s a good chance for learning IT Security if you are interested in infosec because these courses are full of tests and laboratories where students attack and protect systems as in the real world.

The first course, which starts soon, is about basic security on networks and systems, where students take security awareness and configure security appliances such as firewalls and SIEM. For instance, we deployed a virtual firewall and configured OSSIM last year. We also talked about recommendations for protecting networks and systems such as server hardening and best practices for network appliances. In addition, we were talking about the importance of Business Continuity and Disaster Recovery Plans.

Training on IT Security

Students who want to learn more about IT security can take the advanced security course on networks and systems. Last year, this second course was ready for students who wanted to get a deep knowledge about IT Security because we were talking about advanced techniques such as Multipath TCP, HTTP2, Web Application Firewall, XSS, SQLi, etc. In fact, we configured a WAF and we attacked servers to see how this kind of appliance is able to block advanced attacks.

Once the basic security course and the advanced security course on networks and systems are over, the ethical hacking fundamental course starts. This course is for students who want to learn how to attack networks and systems. Therefore, the first two courses are for people how want to know how to protect networks and systems and this one is for learning about vulnerabilities, network scanning, buffer overflows, OSINT, denial of services, etc.

If you really love hacking and you want to learn more about how to hack networks and systems, you have to go to the advanced ethical hacking course. This course was full of advanced laboratories last year. For instance, we created a backdoor for Android systems and we even made a malicious WhatsApp Messenger. In addition, we deployed WebGoat in Kali Linux to test Web Application Vulnerabilities.

The last course in this third edition will be about Digital Forensics . Students learnt how to get evidences and how to analyse them last year. In addition, we played CTFs (Capture The Flag) where students had to find flags in a series of challenges. As a result, they used many tools such FTK Imager, fcrackzip or exiftool. L ast but not least, we also analysed and learnt how a Fileless Malware works.

Regards my friends. I hope this will be interesting for you. Keep studying.

RedHunt - Adversary Emulation & Intelligence

There are lots of security tools for pentesters. I’ve already worked with Social Engineering Toolkit (SET), Metasploit and many other security tools included in Kali Linux. However, I would like to write about RedHunt in this post. This is an useful operating system for threat emulation and threat hunting which help us to know how secure is our environment. Actually, RedHunt is based on Lubuntu and security tools such as Caldera, Atomic Red Team, DumpsterFire or Metta are included. I’ll write about them.

Caldera is an emulation system which uses an agent in each system we want to know how secure it is. This agent runs commands in the infrastructure as it were an adversary. The results are sent to Caldera where we can see successful attacks. The new version, Caldera 2.0, added the chain mode, as well as the adversary mode, which allow us to orchestrate atomic unit tests into larger attack sequences. I think it is an interesting tool to execute attacks against servers to know the security of the IT infrastructure.

Caldera

Atomic Red Team is another tool included in RedHunt, like Caldera, to execute simple “atomic tests” which is useful for red teams to know how secure is the infrastructure. There are no agents and we can execute scripts against servers to test security controls. It’s an interesting tool to know what attacks we can detect and what attacks we can not detect. In addition, it’s easy to run a test due to the fact that five minutes are enough to execute an “atomic test” with this tool. Therefore, Atomic Red Team is a good library of simple tests to emulate adversaries.

Atomic Red Team

 

RedHunt is full of security tools. If you want a tool for scheduling tasks such as visiting various hacking Websites, downloading a few common hacking tools and scanning the local network, DumpsterFire is your tool. This tool help us to schedule tasks as it were run by a human. For instance, we can open an URL session at 2 PM, wait for 60 seconds, and open another URL session or execute an script. What’s more, there are already Fires or event modules configured in this tool although we can also configure and develop our own.

DumpsterFire

 

Another tool for adversarial simulation is Metta. This security tool is similar to Atomic Red Team where we can test hosts and networks to know if security systems detect attacks. Metta parses a yaml file where we write a list of “actions” which are run one at a time without manual interaction. In addition, Metta does log all output to a json file and to a simple HTML log, which is useful to incorporate the results in a framework for reporting.

Metta

 

I think RedHunt is an interesting virtual machine where we have many security tools to emulate adversaries. It has many tools, useful for red teams and blue teams, which can be run against servers and networks to know how secure is the IT infrastructure.

Regards my friends. Keep learning and test your IT infrastructure as if you were a real adversary.

No Logo

I have just finished reading a book about brands. All of us know lots of brands. Most people want brand’ shoes, brand’ jeans, brand’ shirts, etc. We want brands because we think brand’ stuff is much better than other stuff which nobody knows. We are willing to pay more for a brand’s shoes than for another shoes that nobody knows. As a result, companies spends lots of money in advertising campaigns. They even pay to celebrities, such as Michael Jordan or Cristiano Ronaldo, lots of money to make advertising campaigns.

Celebrities also take into account they are working for these companies. Therefore, they have to speak very well about these brands and they have to wear the clothes for which they are sponsor. I remember a press conference where Cristiano Ronaldo showed off again and again a luxury diamond watch. I think he scratched his face and his lips from time to time just to show the “amazing” watch. However, famous people also have to be careful about what companies they are sponsor because some of them could ruin their own personal brand.

Luxury diamond watch

Superstars could ruin their own personal brand when they support manufacturers which make products without taking into consideration the workers’ rights and human rights. Companies increasingly make products in east countries such as China, Vietnam or Indonesia where workers earn very little money. In addition, these factories don’t have the minimum security measures. They don’t have a well air condition and hygiene. Consequently, people work in high risk factories and they work lots of hours for a low wage.

Bangladesh factory collapse

There are lots of east people who work in bad working conditions and this is the main reason why we can buy products very cheap. Mainly, U.S. companies have the idea and invest in them, european people work for the idea, and finally, east workers manufacture the product. However, working for a low salary is also increasingly usual in west countries. There are not factories and there are not enough jobs for everybody. Therefore, west people have a low salary and these people buy cheap products, which are make in east factory with low wages. It’s a dangerous virtuous cycle.

Wealthy people is getting richer and poor people is getting poorest. Thereby, there are people who have realised we have to do something. There are demonstrations and strikes in front of malls. There are billboards which are destroyed or repainted. There are even foundations, such as Adbusters Media Foundation, which fight to counter pro-consumerist advertising. It's up to you if you want to fight for your rights.

Adbusters cover

To sum up, companies no longer manufacture products but brands. Most people want brands and we want to buy cheap things. Companies have outsource the manufacturing process and most factories are in east countries. We don’t bother products are made by people who work lots of hours for a low wage, or we don’t want to know about it. It’s time to thing about consumerism.

Regards my friends. A nice book, like this one, can change your mind!

Asymmetric Encryption Algorithms

I remember a security administrator who told me he couldn’t enable encryption in a site to site VPN because the firewalls couldn’t encrypt high throughput traffic. He said the firewalls didn’t have enough CPU for VPN data encryption. Obviously, those firewalls weren’t well sized for his requirements. Encryption needs powerful CPU and/or powerful cryptographic cards but it also requires to choose the right cipher suites. Maybe, this security administrator didn’t have a good firewall to encrypt the site to site VPN but, maybe, he didn’t know either there are several encryption algorithms, and if they are configured properly, you will be able to get what you want.

I learnt at University how public-key cryptosystems work. It’s easy to understand. There are two keys. A public key and a private key. The public key is well-known for everyone. It’s like an open padlock. However, the private key is only known by the owner. It’s like the key to open the padlock. Therefore, when someone wants to send something encrypted into the padlock, only the owner can open the padlock and read the message. Rivest–Shamir–Adleman (RSA) is one of the first public-key cryptographic system and it’s the most used for data transmission.

Public Key Encryption

There is an alternative to the RSA. It’s the Digital Signature Algorithm (DSA). This algorithm was developed by the U.S government and it has the same security degree as RSA. However, it employs different mathematical algorithms for signing and encryption. DSA is also an asymmetric encryption scheme, like RSA, and it’s faster for signing but slower for verifying. Therefore, DSA is not a good choice if there is performance issues on the client side.

Diffie-Hellman is another algorithm I've learned, but this one, while I've been working with Virtual Private Networks (VPN). It’s an asymmetric algorithm useful to determine a secret key between peers. Firstly, peers agree to use a key, which could be listen by an attacker. Secondly, they use a private secret key, which is only known by each of them. Finally, these two keys are used to get a new one, which is the final key for the encryption process. This final key is, computationally speaking, difficult to get by an attacker.

Diffie-Hellman Key Exchange

These three algorithms are well-known by most security engineers. However, Elliptic Curve Cryptography (ECC) or Elliptic Curve Digital Signature Algorithm (ECDSA) is increasingly used because ECC cryptography provides much strong security than RSA or DSA with smaller keys. Therefore, ECC cryptography is the best option for mobile devices due to the fact that it requires less computational overhead.

Elliptic Curve Digital Signature Algorithm

On the whole, when you are going to configure encryption for whatever, it’s better to know what algorithm fits with your architecture because if you don’t choose the right one, the network performance could be degraded.

Regards my friends. Have a nice day!

F5 BIG-IP - vCMP

Virtualization has lots of advantages and this is the main reason why most services are already virtualized. I didn’t know anything about virtualization when I finished my degree at University but later on I started working as a system administrator where I learnt about virtualization with XenServer and VMware. I realised the powerful of virtualization. Most web servers and applications were virtualized which was easier to manage. Today, there are Virtual Networks Everywhere thus firewalls, load balancers, etc are also virtualized.

I still remember the first time I installed and configured a pair of Radware Alteon 5224 XL. It was five years ago. It is an appliance which supports virtual load balancers. Therefore, I created load balancers instances in the Radware Hypervisor. However, I’m right now in a new project with a pair of F5 BIG-IP i5800 where we are going to configure load balancers instances in the BIG-IP. Both vendors have hypervisors for virtualization but with different concepts. For example, virtual load balancers are called vADC instances in Radware while vCMP guests in F5.

Radware ADC virtualization infrastructure

vCMP or Virtual Clustered Multiprocessing is a feature of BIG-IP where we can deploy several instances of BIG-IP in a hardware platform. Therefore, we can allocate CPU, memory and disk to a virtual machine which run the TMOS operating system. This is useful because we can have a virtual machine for each application. For instance, a virtual machine for eCommerce, another for Oracle, etc. If we have to upgrade firmware for whatever in an application, we can do it without service interruption in another application.

Example of a four-guest vCMP system

You maybe are wondering how networks are configured. There is a true multi-tenant environment where guest administrators can’t configure layer 2 settings thus it has to be configured by the host administrator. Therefore, the host administrator have to configure VLANs and Trunks while guest administrators will configure the layer 3 settings such as Self IP Addresses, Virtual Servers, etc. It’s important to highlight the management network can be isolated or bridged between guests. However, it’s highly recommended to configure the management network in bridge mode.

Isolation of network objects on the vCMP system

When you are planning to configure vCMP in a BIG-IP appliance, or in a VIPRION chassis, you should take into account the amount of CPU and Memory you have for guest instances because it is limited. For example, if the hardware appliance has 8 cores and 48 GB RAM, we won’t be able to allocate more hardware than that. In addition, once the guest instance is running, we can’t allocate more CPU or Memory to that instance because it’s already deployed. If we want more CPU or Memory, we’ll have to stop the guest instance for reconfiguration.

Three guests with varying amounts of core allocation

 

To sum up, vCMP is an interesting feature to run hosted instances of the BIG-IP software on a single hardware platform. Once the instance is running, we’ll configure the guest as any other BIG-IP. For example, it’s interesting to configure an active-standby cluster between instances because there is no high availability configuration for hypervisors.

Regards my friends. Go ahead!!