How hard is it to write a port scanner?

That depends on what you’re willing to use. For building my own port scanner I took the software engineering proverb, “Don’t re-invent the wheel” to heart.

Until recently my company did port scans by having a list of ports that were allowed to be open without connecting them to an IP address they were supposed to be open on. I’m sure you can see the wholes here (E.g. someone could start an FTP server on a webserver, and it would never get caught).

So in the interest of hardening up the port scans, I created this program. It allows you to specify an IP address and then add the ports that it is approved to have open behind it in a csv format (see the readme file in the git repository for details).

One thing that was important was that the reports need to be something our compliance department can look at and work with, hence the CSV format. My intention being to allow them to format them as they wished upon receipt.

I used nmap to do the actual port scanning. If you’re familiar with nmap, you know that means I did very little work here of any real consequence. The program’s real use is in parsing the output, comparing it to a list of approved ports and writing out easy to read reports of what’s changed in an environment.

Without further ado, the program can be found here.

I recently got asked to work on a project to help finalize a Security Engineering Process for my company. I haven’t delved too deeply into the goals and deliverables yet, but the project title is interesting enough to me: Security Engineering Process Assessment. This is one of the few times I’m going to argue semantics are important, so let’s break this down a little.

I’m comfortable with the words “Security”, “Engineering”, and “Assessment”, but “Process” is an interesting choice. The corporate connotation of process (at least at my company) is that you have a defined set of steps that are well documented and anyone (with a little training) can take the documentation and complete the process. For some things this is a totally reasonable idea, but is it reasonable for cyber security?

I’m going to cop out here and say, “Yes and no” with a caveat that it really depends on how you write your process.

There are some common sense security precautions you should take when designing any system such as require a user to login before they can do anything, expire sessions, use SSL by default, require passwords to be complex, etc. These fit well into a process, they can be defined and measured and are relatively straight forward.

But then there’s the side of cyber security where it transitions from (don’t hate my cheesiness) science to art. Because there is a level of art involved in looking at a system that is open to the internet, discerning where an attack may come from, and then finding ways to secure against that.

Here I’m thinking of things like the bad bios example or the recent Target breach that you could never hope to define process for. Anything you could define and document would fall miserably, pathetically, laughably short of protecting against an attack that can pivot within systems and compromise multiple companies, or jump air gaps and cloak itself when you are close to finding it. For defense against this kind of thing, you need artists. People who have as much creative ability as technical.

Yes, a defined process is a good idea. Most large companies will need it to show auditors and help developers who may not have a security mindset to design more secure systems. But the first step in your process should be, “Doubt the entire process” and the second step should be “Confirm doubt of entire process.”

As anyone who works in the IT Industry knows, how easily the media can understand a technical concept and then generate hype about it has a lot to do with how much attention it gets. While sometimes this brings important issues to light other times it lands pretty far off the mark.

Let’s take two relatively recent Google projects for example. Project Glass and Project Tango.

Glass has received a ton of media attention and cautionary advice. It seems like every time you read the news someone is writing another article about how suspicious we should be about Glass and it’s invasion of our privacy. Law makers, business, and individuals are all getting involved trying to ban, limit, and berate Glass users.

The common tag line is that Glass is a way for someone to photograph you without your knowledge, and while that is true in a sense Glass is not a concealable camera (you wear it on your face). Even if it were, someone interested in photographing you surreptitiously has far better options than a camera sitting on their face (just search spy camera on amazon). We should have some concerns about Google glass, but it’s impact on privacy isn’t the biggest one. So why does it get talked about so much?

The answer, I believe, is that it’s easy to talk about. “Take a picture of you without your knowledge” is an easy concept to understand and thus easy for the media to make scary and get attention about.

So what is Project Tango? I won’t go into the gory details, but it’s basically a way for you to use your phone to map an environment in 3D. Now that has some real privacy implications. Currently it looks like the technology only maps what’s in front of the phone, but it can detect a 3D environment and the movement of the phone apparently pretty well. Google suggest the technology could be used to extend Google Maps beyond streets, help you find things on shelves in large stores, and record the dimensions of your furniture.

Holy crap. That should scare some people. Ask yourself this: How often are you within 50 feet of someone with a smartphone? However often that is is potentially how often there could be a device watching your every move as you wake up in the morning, walk down the street to work, leave your secret spy drop point for all those Russian secrets you are selling, you know, typical every day stuff.

But it isn’t getting a whole lot of media hype or concern because it’s harder to talk about. It takes more steps to explain how a 3D mapping tool could be a threat to your privacy than to explain that someone could take a picture of you with the girl your cheating on your girlfriend with.

As a disclaimer, I think Project Tango is incredible, really cool stuff. It’s probably the natural progression of where technology will go (first we had phones, then we had phones that knew when we touched them, then we had phones that knew which direction they were turned, now we have phones that can map their environment. But we should ask some serious questions about how comfortable we are with this technology being everywhere on the streets and who should be allowed to get at the data it collects.

Another day, another zero day vulnerability (Gosh, I love that term. So ominous. Like seeing a mushroom cloud). This time it’s in IE 9 and 10.

Side track: It’s amusing to me that software that a vulnerability in software that has been outdated for 3.5 months can be so devastating, but I guess that’s the corporate world.

There are a number of pretty good technical writeups on the exploits for this one seen in the wild already, so I won’t go into that. I’d rather address what you should do if you’re a medium to large company.

A senior analyst at my company was tasked with looking into this threat. He read the title of the FireEye post, sent an email that said “Upgrade to IE 11” and called it good. Not terribly helpful. There are a number of steps you should do to start looking into this.

The first question you should ask is, “Have I been attacked already?” If you have a SIEM tool this should be easy enough to determine. The first domain you’ll want to look for is the VFW site (vfw.org), since that was the site that was originally compromised.

If you don’t find traffic it is a very good sign. I wouldn’t relax quite yet, though, as someone could’ve accessed this site from their laptop at home. FireEye put together a list of the IPs and domains they’ve seen that are probably C&C servers connected to the VFW compromise, so it’s good to watch for these too:

And as long as you’re searching for traffic, look for anything hitting

A novel new method of creating a DDoS attack has been found: NTP. I’ve read a number of good technical explanations on how the attack was performed and the enormity of the data the attack sent (400 some GB), so I’d like to take a step back and talk about DDoS attacks in general.

Working on a websocket test app recently I had a connection that kept on failing.

A thought occurred to me, so I switched to wss from ws causing my traffic to be encrypted. My company doesn’t currently decrypt any SSL traffic on our security appliances, so this effectively turned my socket into a black box to my proxy, IPS, and firewall. That worked.

I ran a query on our proxy and sure enough, there was the traffic for both requests.

I decided to look on the external firewall.

Only the SSL traffic was showing up here. So something (proxy, IPS, internal firewall, or external firewall) was knocking down the unencrypted socket traffic.

For the record, I’m aware that it’s better to decrypt/recrypt SSL traffic on your proxy. Chalk it up to a mixture of old technology and budget concerns. You work with what you have.

Lessons learned here:

Websockets are cool, but might get stopped by your internal security infrastructure.

If encrypting the traffic resolves the issue, you’ve just discovered a security hole in your environment.

So I gave it a download. It was shiny and new, just as advertised. It lets you browse your Facebook news feed, has slick animations, a “flat” design (which is all the rage these days, I’m told). It’s also a news reader and allows you to add different categories of things you might be interested in such as technology, pop culture, etc. I like the app as an app, but there’s one key feature missing from the news reader: You can’t pick the news sources that make up those categories.

Let’s take a step back for a second. Facebook isn’t evil or the antichrist, but they are trying to make money. They were soaring high for quite a while when desktop browsing was the most common, but shortly after they had their IPO they crashed pretty hard. You can find a bunch of different reasons for the crash, but the fact that their desktop usage dropped off while their mobile usage surged was a huge part of that. Facebook had no ads in their mobile apps, and thus no way to make money off of them.

It’s not hard to connect the dots that Mark Zuckerberg connected: Facebook needs a way to make money off of it’s mobile apps if it wants to survive.

Their first step was Facebook Home.

Still no ads here, and no way to make money, but they’re learning. At first Home got terrible reviews, but Facebook learned and improved upon it, working towards an app people would actually use. To me Paper looks like a next iteration of that. It’s a similar strategy to how Facebook got so popular in the first place: get something cool that people want to use, then advertise to them when you have a ton of users.

Which brings us all the way back around to Facebook Paper and the fact that Facebook chooses what news articles you see in a category. Their end goal is to sell advertising and make money. To do that they want all of the information they can get about your online activity, in this case the articles you read.

So why did it make me pause? Two things.

1. If you use Facebook Paper as your only news source your news consumption is selected by Facebook, and potentially the company willing to pay them money.
2. If Paper becomes popular Facebook has an incredible gold mine of data about you and what you read online.