Category Archives: Tech

Thoughts on the CREST CRT

Continuing my thoughts on exams series (see CISSP & CPSA) here are some notes on the CREST CRT. These are notes to help you prep, they are not the answers – CREST have a robust NDA and I have no intention of breaking it!

Pre-Reqs

You will need to have sat and passed the CPSA MCQ at a Pearson Vue test centre first. You book this direct with Pearson Vue  using a credit card.

Once that’s done, book the CRT direct with CREST by filling out the form at https://www.crest-approved.org/wp-content/uploads/UK-Exam-Booking-Form.pdf and emailing it to them. Nominate a month you want to do the exam and CREST will come back to you with some dates and morning/afternoon session availability.

You’ll need to travel to Slough – the test centre is 5 minutes’ walk from the station. Although there are several car parks, I really struggled to find spaces so the train might be your best bet, especially if you have a long drive.

CREST were really helpful and friendly during the booking process so don’t be shy about dropping them a line if you have any questions.

Your laptop

You’ll need to take in your own laptop but remember that CREST will want to wipe the hard drive on it afterwards. They didn’t seem too concerned about the swish M2 SSD I had in mine, but if your drive is non-standard, drop them a line. Either clone your existing drive or build fresh onto a new disk as they’ll be hanging onto the one in the machine for a few days and you’ll be without a working machine otherwise.

Kali should get you through the majority of the test, but you’ll need a vulnerability scanner too so license up a copy of Nessus or OpenVAS. Similarly a web proxy tool like Burp will be helpful for the webby bits. If you’re sitting this exam then these will all be tools you use daily anyway. Maybe.

Make sure you’re comfortable with configuring networking on your laptop and any VMs you have. I’d recommend bridging, not NATing, if you have VMs though. You can take in a subnet crib sheet to help, or install ipcalc. As the candidate notes point out, there are 10 marks up for grabs just for getting connected.

Read through the syllabus and write down the relevant tools and switches you’ll need for each section – some of them don’t come as standard on Kali and you’ll need to install.

General strategy

Time will run away from you, even if it doesn’t usually in these kinds of tests. Be organised! It’s an open book exam so take in tool notes and crib sheets, you do not want to be scrabbling around trying to figure out the syntax for things. I found https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/ to be really helpful, so save a copy of that offline somewhere.

The test network is not internet-connected, although there is a machine in the corner of the room that you can use to Google, but frankly, if you’ve gone there then move on as it’s just a time suck.

Read through the question paper first. It’s a series of MCQs, but some questions are weighted more than others, so plan your time so that you don’t miss out on some of these more valuable ones. It’s not negatively-marked, so if you get to the last 5 minutes then just guess, don’t leave answers blank.

None of this is anything the invigilators won’t tell you at the start!

Good luck!

BLE Security

It has been an interesting week.

I’ve been working at PTP for a few months now, and one of my first pieces of research has been on IoT, er, “intimate wearables”. Well, you can read it, including the snappy vulnerability name we came up with (all the best do): https://www.pentestpartners.com/security-blog/screwdriving-locating-and-exploiting-smart-adult-toys/

After that it’s been picked up by a fair few outlets, including:

There was also a lively twitter discussion from my friend Ben Goldacre which ended up involving an MP:

Which resulted in this article in The Guardian: https://www.theguardian.com/commentisfree/2017/oct/06/drive-by-sex-toy-hacking-wake-up-call-britain-internet-security-vibrators

Which I think neatly brings us back round to why I/we did the research in the first place. Yes, the headline is catchy, but it’s to highlight that although BLE has “short” range (anything up to several hundred meters which may not be what you’d think as short) it often has shockingly implemented security that can have real world physical damage.

Many commenters pointed out that unsolicited activation of, er, the “intimate wearables” might be a feature and not a bug. I’d agree, if you knew that’s what you were getting into – consent is sexy!

We’re doing some more work on the range soon, as well as some additional vulnerability disclosures on these products – watch out for those.

Update: do you use the Lovense “Body Chat” app to, er, chat? Your messages and other info are probably not as secure as you think they are.

Update 2: I did an interview with Claire Lampen for Gizmodo, exploring the legal aspects of this too: https://gizmodo.com/if-your-vibrator-is-hacked-is-it-a-sex-crime-1820007951

Thoughts on the CREST CPSA

I’ve just sat my CPSA in preparation for $newjob.

The CPSA is part of a UK government qualifications track administered by CREST for accrediting ethical security testers and their companies. You can find a fairly barebones syllabus online along with some suggested reading material.

The CPSA changed radically a couple of years back, in that it used to be open book and packaged with a practical component, the CRT. It’s now closed book, separate from the CRT (and indeed, a prerequisite for sitting the CRT) and administered in Pearson test centres in MCQ format. The only other discussion of the CPSA I’ve found is from before this change.

The exam content is under NDA and of course, the question bank will give different content to each candidate, so this discussion isn’t going to give much away. However, although I’ve worked in security for the last five years (and IT in general for twenty) I went into the exam feeling the least confident I’ve ever felt. I’d read the syllabus and most of the reading list and still really had no idea about the content or question style.

So, here’s my advice:

  • Read the syllabus thoroughly. Note that some points aren’t examinable in the CPSA but are for the CRT and vice versa.
  • If you’re actively working in pen testing and have a background in general IT, or better still, have a CISSP or GSEC then you’ll be good with just a bit of general reading up.
  • Read the question and answers thoroughly, obviously!

Good luck!

💩

I’ve encountered a couple of bugs with internet-connected devices recently so I thought I’d document them in case some other poor soul had the same troubles.

Yes, I’m kinda aware I’ve brought a lot of this on myself but it does somewhat show that these things aren’t ready for primetime just yet. I’ve done the “sensible” thing and segregated IoT devices onto their own separate, firewalled VLAN although most vendors aren’t necessarily expecting this arrangement. Many devices do NAT hole punching which seems to work ok, except when there’s UDP traffic or IPv6 thrown into the mix. Explicit port forwarding seems to be on the (thankful) wane.

Nest Protect

I had a really strange experience when my Nest smoke alarms suddenly stopped checking in. They couldn’t jump on the network and even a reset failed with the cryptic error code P007(3.9). Their technical support has actually been surprisingly good but they couldn’t figure it out.

I eventually deduced that Nests will only try the first DNS server handed out to them over DHCP. If that one is broken (but a second/third/fourth is still up so name resolution is working for everyone else!) then they fail with this generic error.

Fix: make sure your primary DNS is working; Nest need to fix the bug in their firmware so they’ll failover gracefully (which you’d assume they’d do for a safety device).

Update 05/03/17: the bug doesn’t seem to have been accepted by Nest still so I guess this isn’t going to get fixed. If a single point of failure in networking for a device that’s supposed to tell you your house is on fire worries you, I guess don’t buy one?

Netatmo Welcome

I had a camera working for ages until one day it suddenly stopped and just showed “disconnected”. A reset similarly failed to get it back online and the setup process choked with generic errors about checking the internet connection etc.

Some hints from a forum led me to find that the camera runs an IPSEC tunnel back to Netatmo over UDP. This tunnel is initiated from Netatmo themselves and my stateful firewall didn’t appreciate unsolicited inbound UDP.

Fix: Permit UDP source ports 500 & 4500 from any public IP to the IP of your camera. Note that this is not port forwarding, just a firewall rule.

(I haven’t been able to pin down exact IP ranges this will come from as Netatmo use a variety of servers and they weren’t forthcoming with help.)

Philips Hue

Again, all was working super until one day geofencing and alarms broke. Trying to connect the bridge to the online account (My Hue) would literally cause the bridge to crash – it would remain on the network but be unresponsive over its mini web browser or even zigbee light switch presses.

Philips technical support haven’t been great and blame it all on home networking despite being given packet captures.

Fix: None so far

Workaround: Connect your Hue bridge into Homekit and use the automation features of Apple TV instead.

Update 05/03/17: this randomly started working again recently. Still no word from Hue support though.

Thoughts on the CISSP

Disclaimer: I’m a member of the SANS Advisory Board. SANS is a competitor certification awarding body to ISC2. None of the examples below are real questions from either exam and shouldn’t be used as revision!

isc2_cissp2I recently clicked over enough time elapsed (after deductions for my GSEC) to be eligible for the CISSP, took the exam, passed and after a wait, awarded it.

There are a reasonable number of comparisons out there between the GSEC & CISSP but none that I found that look at it after CISSP updated the common body of knowledge in 2015.

Broadly the style of the exams is similar in that they’re both computer-based proctored affairs at Pearson testing centres (CISSP used to be pen & paper!). The GSEC is shorter (180 questions against 250, 5 hours not 6) and also has the benefit of allowing one 15 minute stopped clock break at any point. The biggest difference though is that GSEC is open book, CISSP all has to be memorised: this allows the GSEC to test certain things akin to the real world like “which of these nmap switches would you use for x” (ie something you’d either google or use the help pages for). Both exams have scenario type questions: “you’re the security officer for widgets INC, which is the best firewall for a DMZ if you’re worried about DDoSs” and hotspot / drag & drop multiple correct answer types. Both allow questions to be flagged and revisited.

I found the revision for the GSEC adequately prepared me for the content and style of question I faced in the real exam. Mock tests are available, which again were fairly close to the real thing. The CISSP was not so – I read a variety of books (Eric Conrad’s), the SANS bootcamp course and the official ISC2 flashcards app but once in the exam the questions felt wildly different to anything I’d revised for. This isn’t helped by the 25 ‘wildcard’ questions thrown in that don’t count!

I’ve never failed an exam in my life but I honestly found myself at the halfway point thinking I’d failed it. Genuinely that bad. Where I could answer things quickly and confidently I did so; anything I was 90% on I answered but flagged; anything I had no clue on I left blank and flagged. The first pass left me with maybe 50 questions I had to go back and review, although I probably only changed a couple of answers on the second look. An actual advantage was gleaning information from later questions to use in earlier ones.

It’s certainly been said that to pass the CISSP you have to ‘think like a manager’ which I always felt was a bit derogatory but I think it really means to think at a high level, never be afraid to give an answer that refers to outside experts and always prioritise human safety.

The CISSP, like the GSEC, is certainly a mile wide and an inch deep – although I think the GSEC is maybe more like an inch and a half! For both, having experience in the field is certainly a blessing and a curse: you need some outside knowledge but you’re often tempted to add extra information into the questions – “I do change management differently to that at work”.

So which is the better exam? From an experience perspective I’d say the GSEC was the more ‘enjoyable’ and perhaps relevant to the day job. It certainly taught me some new things to take back to the day job too. But the GSEC is not so widely recognised so if you want to pass that automated screening bot on your next job search then maybe the CISSP is the one to go for.

Controlling your lighting with Hue and Perl

It seemed like a ridiculous extravagance to be able to control your home lights with some very expensive Philips Hue lightbulbs but having lived with them for a bit I’m actually quite impressed at how well they work and the range of lighting they can produce.

My next thought obviously then turns to ‘how can I make my lighting do something more useful?’. The Hue iphone app is quite clever (geofences allow you to to turn the lights on as you arrive home for example) and IFTTT integration is also fun but rather limited (only one light at a time, no conditional triggers). Philips have kindly documented the Hue API and it’s pretty straightforward to use – time to break out the Perl.

There is a Perl module on CPAN (Device::Hue) but it’s not all that great so I decided just to poke the Hue bridge directly, and as it’s just JSON, this is pretty easy.

So here are a couple of examples of things I’ve done. I wouldn’t consider them re-usable as they are but are probably a useful starting point if you’re thinking of doing something similar.

  • Before using you’ll need to set up an new user’s API key on the bridge, just follow the Philips instructions to do this.
  • You’ll also need to know the IP/URL to your bridge on your network.
  • As the colour space (‘hue’) is a bit complicated to determine, I’ve tended to configure the lights to how I want them then do a GET of the light state and then reused those values in the script. Probably a nicer way to work this out but for these quick and dirty scripts it’ll be fine.

Lights on at sunset

I trigger this via cron at (say) 3pm daily, it then just checks every five minutes if the sun has set for that particular day yet before exiting. The lights get turned off by Hue app scene timer or by hand.

#!/usr/bin/perl

use Astro::Sunrise;
use common::sense;
use LWP::Simple;
use LWP::UserAgent;

open my $LOG, '>>', '/scripts/lights.log' or die "Unable to open log for writing $!";
$| = 1;

my $sunset = sun_set(0.0,50.0); #long, lat
$sunset =~ s/://g;

my $uplighturl = "http://bridgeurl/api/apikey/lights/1/state";
my $downlighturl = "http://bridgeurl/api/apikey/lights/2/state";

my $uplight = '{"on":true, "sat":220, "bri":26, "hue":34440}';
my $downlight = '{"on":true, "sat":220, "bri":190, "hue":34440}';

while (1) {

my @curtime = localtime();
my $curtime = join '', @curtime[2,1];

if ( $curtime > $sunset ) {

print $LOG "$curtime is after $sunset, turning lights on\n";
setlight($uplight,$uplighturl);
setlight($downlight,$downlighturl);
exit(0);
}

else {

print $LOG "$curtime before $sunset, sleeping...\n";
sleep 300;

}

}

sub setlight {

my ( $body,$bridgeurl ) = @_;
my $req = HTTP::Request->new( 'PUT', $bridgeurl );
$req->header( 'Content-Type' => 'application/json' );
$req->content( $body );
my $lwp = LWP::UserAgent->new;
my $response = $lwp->request( $req );
print $response->decoded_content;

}

Tell me what the weather & tube is like before I leave the house

In the mornings I’d quite like to know if I need to take an umbrella, the tube is broken, or both. I have a lamp on the exit route that shows blue (rain), red (tube) or purple (apocalypse). I’ve used a couple of API services for tube & weather that return things in a nice JSON format that plays well with Perl, but you can adapt for your own uses.

#!/usr/bin/perl

use common::sense;
use LWP::Simple;
use LWP::UserAgent;
use JSON;

my $tubestatusurl = "http://api.tubeupdates.com/?method=get.status&lines=jubilee&format=json";
my $weatherurl = "http://api.openweathermap.org/data/2.5/forecast/daily?q=London,uk&cnt=1&mode=json&units=metric";

my $bridgeurl = "http://bridgeurl/api/apikey/lights/1/state";

my $tubebroken = '{"on":true, "sat":255, "bri":255, "hue":65527}';
my $raintoday = '{"on":true, "sat":255, "bri":255, "hue":47124}';
my $apocalypse = '{"on":true, "sat":255, "bri":255, "hue":58009}';

my $lightcounter = 0;

my $tubejson = get( $tubestatusurl );
my $decoded_tubejson = decode_json( $tubejson );

my $tubestatus = $decoded_tubejson->{response}{lines}[0]{status};

if ( $tubestatus =~ /good service/ ) {
print "Good status\n";
}

else {
print "Jubilee line problems\n";
$lightcounter = 1;
}

my $weatherjson = get( $weatherurl );
my $decoded_weatherjson = decode_json( $weatherjson );

my $weather = $decoded_weatherjson->{list}[0]{weather}[0]{main};
if ( $weather =~ /Rain/ ) {

print "Rain today\n";
$lightcounter += 2;

}

if ( $lightcounter == 1 ) {

setlight($tubebroken);

}
elsif ( $lightcounter == 2 ) {

setlight($raintoday);

}

elsif ( $lightcounter == 3 ) {

setlight($apocalypse);

}
sub setlight {

my ( $body ) = @_;
my $req = HTTP::Request->new( 'PUT', $bridgeurl );
$req->header( 'Content-Type' => 'application/json' );
$req->content( $body );
my $lwp = LWP::UserAgent->new;
my $response = $lwp->request( $req );
print $response->decoded_content;

}

 

A month with a Windows phone

I was recently given the choice of a new work phone and decided on a HTC 8x, mostly to see how Windows phone 8 behaves. My thoughts in summary format:

  • I do love the live tile UI – having an at-a-glance indication of stuff (like weather, calendar, tube status) is a really nifty and innovative thing. It works much better on a phone or tablet interface than it does on a desktop computer though.
  • The app store is a mixed bag but functionality wise it’s great with a unified search that brings in results from apps, music, games all in one place, the ability to browse the store from another computer’s web browser then “push” that app to your phone and best of all is trial mode where you get a free time-limited or functionality-restricted version of the app to use to decide whether it works or not. On the other hand, it’s lacking a lot of the content but I have found apps for all my major needs like evernote, foursquare, twitter and lastpass.
  • In a similar vein, IE10 is ok but it’s a shame there’s no version of Chrome available as IE10’s tab switching is clunky.
  • It took me a while to work out some of the UI – the “back” button also seems to do a lot of things, including task switching which I find I bit clunky. It’s also lacking a decent way of scrolling back up to the top (on android and iphone I’m used to tapping the top of the screen in some way).
  • Integration with a desktop computer is basic (but the phone app is still “preview 2”? really?) but gets you there, especially as it’s just a mass storage device allowing you to drag and drop your music straight onto the device. This alone is worth considering switching away from Apple in my opinion.
  • Skydrive integration is seamless, office documents just get copied back and pictures get uploaded perfectly with no messing and you can see it all dropbox-like on the web or via the syncing apps on the desktop. This is really one of the most important things Microsoft have done right and it puts iCloud to shame.
  • On the hardware level the HTC 8x is probably the best windows 8 phone right now (the lumia 920 is just too big) – the feel of it is lovely with its rubberised back – but I just can’t quite get the knack of the buttons. The volume rocker gives you no tactile indication of which way is up and down and often I find myself mashing the volume when I’m going for the lock switch on the top. Little things, but they do detract a bit.
  • Battery life is not too shabby; I easily get a couple of days use between charges (and that’s without turning the power-saving mode on).
  • The camera is ok, but just ok. The Microsoft “Blink” app is a nice camera app that starts taking photos before you even press the shutter and allows you to select the best version. On a similar note I like the way camera and photo apps plugin to the central photos hub and allow you to mess with filters and upload stuff from one place.
  • The screen is not too bad, the colours are certainly nice and vibrant and the white balance is good. It’s not quite as sharp as the iphone 5’s screen though (HTC on the left, iPhone 5 on the right – click for bigger!):
    HTC8xiphone5

Overall it’s a nice experience but it’s let down in a couple of areas and you just get that feeling that it’s just not quite finished, but give it six months and it’ll be great.

Would I buy one? Absolutely.
Would I replace my iPhone 5 with one? Not just yet.

Instrumenting your house

I recently bought a bunch of wireless sensor tags from a guy in California. The little sensors communicate movement and temperature back to a ‘tag manager’ that you plug into your router. There’s then a cute little web/IOS/android app that allows you to configure them and also receive notifications when they get too hot or are moved.

My main reason for doing this is that we keep temperature-sensitive medication in the fridge at home and the paranoia in me wanted some way of knowing if the fridge door has been left open, or that the compressor has failed.

Capture

 

Whilst pretty straightforward to get going, I’ve found configuring them to be a steep learning curve: the UI has an amazing array of configurable options (which is a good thing) but due to the shear number of them and the inherent delay of seeing updates it can be a bit confusing to see the results of your fiddling. I was also thrown by the fact the temperature sensor in the tags needed calibrating first. The power state of the tags also seems to vary wildly, perhaps that’s related to the cold of the fridge, which makes it difficult to know how long the battery is going to last.

I’m still not yet at the level where I completely trust the tags to alert me when something bad has happened but I don’t think it’ll be too long until that’s the case, but if you’re looking for a neat little solution that tells you where things are, or how hot something is, I think these are definitely worth a punt.