Merry Christmas and Happy New Year

I’m here, in my home, with my laptop, doing my weekly homework and writing this post quietly like any other day. Today is Christmas, and it is a must to write about it, I have to write about how was this nearly ended 2017. This year has been rewarding, accelerated sometimes but slow other times, which began with lots of travelling and has finished in the same way but has been a little bit relaxing in the middle of the year. It has been a year where I’ve been able to work in many projects about security and networking, I’ve been able to meet up with IT professionals, I’ve been able to read many books, I’ve been able to study …. I’ve been able to do many things.

At the beginning of the year, I was working in a project where I had to install and configure nine firewall appliances around Extremadura, which was deployed into a wireless network with captive portal and LDAP integration, once this project was finished, I delivered the Alcatel-Lucent Omniswitch AOS Troubleshooting Training Course in Madrid. In the meantime, I was reading, studying and writing about PBB, SPB, VxLAN and Overlay Technologies as well as analysing vulnerabilities like the Apache Struts Vulnerability.

The second trimester of the year wasn’t stressful like it was the beginning of the year. Therefore, I had time to read the Steve Jobs Biography as well as speaking Spanglish and Frañol at Official School of Languages to end up passing French language A1 level. I was also reading and testing the new FortiOS 5.6, which brings new features like VxLAN and SD-WAN, thus I deployed a virtual firewall and I deployed a virtual SIEM as well that I used for my speech about the importance of security at CUM.

Summer was closer and I was installing and configuring firewall appliances, analysing security alarms from Ariolo and, reading, learning and studying new books, technologies and protocols. For instance, I had to read about the DTLS protocol for improving SSL VPN performance with DTLS and I was decrypting DTLS traffic with Wireshark. I had also time this summer to go to Galicia & Porto and reading the book No place to hide: Snowden and the NSA, which was my motivation to write about Spy Files Russia from WikiLeaks.

The end of the year has been thrilling again with many projects to close before starting the new year. The most time-consuming projects were the Security Courses on Networks and Systems, and the Ethical Hacking Course, where students have created a backdoor for Android systems, they have learnt about making their App safer with HTTP Security Policy like HSTS, and many other security things. To finish this year, I’ve been installing a Web Application Firewall along with a load-balanced cluster to protect XML and Web Services as well as WebSockets.

As we can see, this has been a year full of many security and networking things but I’ve been working with virtualization, storage, systems and cloud computing as well. As a result, I’m an engineer with 8 years of expertise and I’ve been able to learn and work with lots of technology, thus I want to keep improving like this.

Merry Christmas and Happy New Year.

Ethical Hacking Course

I’ve been teaching about Information Security for the last two months in Cáceres, Spain. The first month was about Security Courses on Networks and Systems and the second month was about Ethical Hacking. It has been rewarding because, although most material was got from my daily job, I’ve had to read, learn and test many tools and attacks to be able to show and explain everything clearly, which I really like. Therefore, I’m going to write an overview about what we have been learning for the last month in the Ethical Hacking Course.

The first day of the course, we were talking about ethics and cybersecurity, which is very important if we don’t want to be punished or going to the jail. We also spoke about many tools and techniques to audit information systems for the first week like Hping, Nmap, Wireshark, Tcpdump, Network Miner, etc. In addition, we had time for the first week to see and explain latest important vulnerabilities like Heartbleed, Apache Struts and Shellshock as well as testing with vulnerabilities assessment systems like Greenbone and OpenVAS into Kali Linux and OSSIM.

Shellshock vulnerability

 

The second week was loaded of intrusion techniques. First, we were playing with ARP Spoofing attacks to make MITM attacks and sniffing traffic with Wireshark. We also used Cain & Abel to steal passwords as well as we learnt about IP Spoofing and Session Hijacking. What’s more, students liked Armitage to attack easily, which was tested against Metasploitable. In addition, we were also learning about information gathering and footprinting where we installed and tested tools like Anubis, FOCA, Maltego and Nslookup.

Session Hijacking

 

Once students knew basic concepts about Ethical Hacking, we started the third week with advanced concepts like Domain Generation Algorithms (DGA) to bypass blacklists and domain reputation systems, and we also talked about the DNS technique called Fast-Flux to hide C&C servers. We were also talking about Open Source Intelligence (OSINT) and the power of search engines, where we used many filters into the Google Search Engine, and we also searched into IoT sources like Shodan, Censys and ZoomEye.

Fast-Flux Network

We were installing and testing many tools for the third week. For instance, we also used lots of network scanners like zmap, fping and zenmap. Moreover, we were talking about the Smurf Attack and we also made social engineering attacks with Social-Engineering Toolkit (SET) where we launched a Windows Powershell attack and we cloned webpages for phishing attacks. In addition, password cracking was another unit for the third week where we learnt how to use bruteforce tools like THC Hydra, John the Ripper and CeWL.

Smurf Attack

 

For the end of the course, the forth week, we made labs about pivoting with SSH tunnels to route traffic through a compromised host to hack an internal server, and we also created a backdoor for Android systems. This course got to the end speaking about OWASP – Top 10 and Web Application Vulnerabilities, as well as speaking about cracking WPA wireless passwords and DoS Attacks.

SSH Pivoting

 

Regards my friends and I hope to see you in the next Information Security course.

AWS Elastic Load Balancing

AWS Cloud has firewalls, load balancers, WAF and many other interesting services which can be used easily and freely for the first year or paying as we use. I work with Load Balancers from time ago and AWS Elastic Load Balancing is an Amazon Service I’m working on right now. I have already talked about the Benefits of Layer 7 Load Balancing such as making decisions based in requests and responses of applications, modifying data in transit, redirecting, showing messages, caching, compression, encrypting as well as better availability and performance.

AWS Elastic Load Balancing (ELB) is not like a traditional load balancing appliance because I don’t know whether it supports MultiPath TCP, SACK, Nagle’s Algorithm, Long Fat Networks, prevents Web Scraping, etc but AWS ELB is enough for most companies. For instance, we can use AWS Application Load Balancer (ALB) for HTTP and/or HTTPS load balancing which also supports WebSockets and HTTP/2, path-based routing, health checks customization, SSL Offloading as well as integration with other AWS Services like AWS Certificate Manager (ACM), Amazon CloudWatch, AWS WAF, AWS CloudFormation, Amazon CloudFront, etc, etc, etc.

Comparison of Elastic Load Balancing Products

When we configure AWS ALB, we always have to choose at least two Availability Zones (AZ) to increase the fault tolerance of our applications. Therefore, Amazon recommends to have the same amount of EC2 instances in each AZ to distribute incoming application traffic across multiple zones. As a result, if one Availability Zone becomes unavailable, the load balancer can continue to route traffic to another Availability Zone.

AWS ELB + Web App + Multi-AZ

What we know as real servers at Radware or nodes at F5 BIG-IP, Amazon call them as Targets, which are EC2 instances with listening ports. In addition, we should configure our own custom health checks to route incoming traffic to healthy instances thus unhealthy instances, which application is not behaved properly, are not used by AWS ELB till they are alive again. What’s more, Stickness can be also configured into Targets to bind a client’s session to a specific instance within the target group.

Path-and Host-Based Routing

 

On the other hand, what we know as virtual servers at F5 BIG-IP, Amazon call them as Listeners, which are a set of protocol and port as well as the default target group to route requests to the targets in that default target group. Furthermore, if we choose HTTPS protocol into the listener, we can upload our own SSL Certificate or we can also use AWS Certificate Manager (ACM) to provision, manage, deploy and renew SSL Certificates.

AWS ELB Architecture

 

Eight years ago, I read, for the first time, about AppDirector and vDirect from Radware which allow us to create virtual machines automatically as services have more and more connections. As a result, virtual machines are powered on and powered off automatically when we need more resources and this is integrated into the load balancing to distribute traffic properly. This is what Auto Scaling can also do for us along with AWS Elastic Load Balancing.

AWS Auto Scaling

 

To sum up, we have today a reliable platform into AWS Cloud with lots of services where we can deploy our applications easily and inexpensively.

Regards my friends and keep studying!!

OWASP Top 10 - 2017

I wrote about OWASP at University nearly five years ago and, today, I don’t know yet if there is some subject about it to learn main web issues and how to keep them away thus we’ll have many Web Application Vulnerabilities if web engineers don’t study, and they don’t know, how to develop secure Web Services and WebSockets. Once web applications are developed, with vulnerabilities or not, there should be mandatory to install a Web Application Firewall to protect our organization of new vulnerabilities, DoS attacks, Web Scraping, etc.

When I was at University, I learnt to develop with Pascal, C/C++ and Assembly languages, although I learnt a little bit about PHP, HTML, JavaScript and Java as well. I developed applications without thinking about publishing to Internet, just basic web pages, but, today, web applications are behind an API or RESTful web service to be consumed by Single Page Applications (SPAs) and mobile applications. In addition, microservices written in node.js and Spring Boot are replacing traditional monolithic applications which have security challenges like establishing trust between microservices, containers, secret management, etc. On the other hand, modern web frameworks have been released such as Bootstrap, Electron, Angular and React which run functionalities on the client-side while traditional frameworks run functionalities on the server-side.

The difference between the monolithic and microservices architecture

Many changes have had over the last years and, therefore, OWASP Top 10 has been updated. For instance, we have a new category called A4 – XML External Entities (XXE) because new issues have been identify in older or poorly configured XML processors when they evaluate external entity references within XML documents.

A4 – XML External Entities (XXE)

Insecure Direct Object References and Missing Function Level Access Control have been merged into A5 – Broken Access Control where restrictions on what authenticated users are allowed to do are often not properly enforced.

A5 – Broken Access Control

A8 – Insecure Deserialization is another new category into OWASP Top 10, which, initially, is difficult to exploit. However, a successful exploitation could lead to remote code execution and it can also be used for replay attacks, injection attacks, and privilege escalation attacks.

A8 – Insecure Deserialization

Last change to the OWASP Top 10 has been to add the category A10 – Insufficient Logging and Monitoring because many organizations don’t have security tools and processes to detect malicious activities and data breaches and, as a result, they become aware of a security breach by external parties with more than an average of 200 days of delay.

A10 – Insufficient Logging and Monitoring

This has been an overview of changes in OWASP Top 10 – 2017 where there is also to highlight other security risks like Injection or Cross-Site Scripting (XSS) which keep the importance into the OWASP Top 10.

What changed from 2013 to 2017?

Regards my friends, protect your web servers and keep studying!!