Episode 12 - Hackers Wishlist - Security Chipmunks

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:00):
Welcome.

(00:08):
My name is Mixed Edna Johnson,and I am here with my co-host
Neil Smalley and PatrickLowther.
I'm glad to be here with youtoday.

SPEAKER_00 (00:16):
Glad to be here.
It's nice to be here.

SPEAKER_01 (00:22):
So I was, uh...
Looking into what challenges arecoming up.
We've got the Sands HolidayChallenge and KringleCon coming
up.
Are either of you participatingin that this year?

SPEAKER_02 (00:36):
I hadn't planned on it personally, but then again, I
am trying to finish up someschool stuff here before the end
of the year.

SPEAKER_00 (00:44):
Nice.
Yeah, I'll probably be hoppingin the Sands Holiday Challenge.
That's usually a pretty solidfun time.
Plus the music that goes withit.
Can't beat it.

SPEAKER_01 (00:57):
Yeah.
True.
Yep.
And so in our Discord, we'reworking through the TriHackMe
Advent of Cyber 3.
So we're offering anyone thatjoins us in our Discord to get a
shiny special security chipmunksticker.
It's shiny and holographic.

(01:19):
So we'll be offering support andencouragement, and we'll be
working together to get thosechallenges solved.
And another thing that we'redoing is the Security Chipmunk
Secret Santa Exchange.
This is the first year we'redoing it.
And we've got a suggested limitof$50.

(01:39):
And we're getting some hackersjoining in, security experts.
And it'll be a fun thing to do.
So we encourage you to join ourDiscord and join in our...
Secret Santa exchange and havingsome fun and sharing that
holiday joy this season.

SPEAKER_00 (02:00):
We should do a cookie exchange too.

SPEAKER_01 (02:05):
I like cookies.

SPEAKER_00 (02:07):
Yeah, me too.

SPEAKER_01 (02:08):
Are they real cookies or web cookies?

SPEAKER_00 (02:11):
Why not both?
That would be

SPEAKER_02 (02:14):
pretty good.
You have to authenticate withthe cookie to the website to get
the cookies.

SPEAKER_00 (02:23):
That's actually kind of a good little idea for a
holiday challenge.
Kind of like with the Hack theBox challenge.
We'll put together a littlecontest and whoever gets into
the website can put in whateverthey want their dead drop

(02:47):
located and we'll dead drop themsome cookies.
Precisely.

SPEAKER_01 (02:52):
Yeah, that sounds fun.
Speaking of the Secret Santa andHoliday Gifts Exchange, we were
putting together a list of somethings that the hacker in your
life might be interested in,like hacker gift ideas.

(03:13):
So what were some of the thingsthat...
You wanted...
Neil.

SPEAKER_02 (03:17):
Oh, so...
Personally, I don't think youcan go without a good fanny pack
as a hacker.
Like, having somewhere to putall your floppy disks is an
essential part of anyaccoutrement.
And so...
They call them lumbar packs, butthey're really fanny packs.

(03:41):
So Mountain Smith makes somereally good lumbar slash fanny
packs.
So these aren't like your smalljogging ones.
These will actually fit like an11 inch Chromebook or something
like that typically.
You'd have to double check theproportions on the pack you're

(04:04):
ordering of course, but Yeah,they can usually carry some
small items like a tablet orsomething like that.
So it can be quite handy to havesomething to handle all those
cables or whatever you mightneed to be storing in there.

SPEAKER_01 (04:22):
Yeah.
So I know that people in theindustry, cybersecurity
professionals, they loveclothing.
So two websites where you couldget clothing from are
ZeroDayClothing.com andHack.XXX.

(04:45):
I just did a Secret Santaexchange, a Hacker Secret Santa,
and I got a Cult of the Dead Cowblanket that was from the
Hack.XXX website.
Very nice.
It was a very soft blanket.

SPEAKER_02 (05:00):
Very cool.

SPEAKER_00 (05:01):
Blankets are great.
I'm always a big fan of reallycomfortable socks.

SPEAKER_01 (05:06):
Nice.
All right.
Being comfy is important.

SPEAKER_00 (05:10):
It is.
Either that or work at homeattire.
Pajama pants and stuff like

SPEAKER_02 (05:19):
that.
That's a good point.
I personally last year hadreceived a hooded bathrobe and
that was pretty life changingit's like the work from home
equivalent of the hacker hoodieI think

SPEAKER_01 (05:35):
yeah nice very cool so I kind of have a maker spirit
so one thing that I like andI've subscribed to these boxes
before it's called hacker boxesand so you get like a box of
electronics and you'll get likethree or four projects in it and
can solder it together andSometimes there's like Arduinos

(05:57):
and you have to code it.
Yeah, so some cool things inthere.
Sometimes they'll have badges.
Sometimes they'll have niftytools that are handy.
Neil looks so surprised.

SPEAKER_02 (06:12):
That's because I think I accidentally muted
Patrick by mistake.

SPEAKER_00 (06:21):
I'm fine.
Don't worry about it.
Or, you know, since the oldhackers love caffeine type of
thing, there's always quite afew caffeine lovers, so like a
really good...

(06:41):
What do they call them now?
It's not the Yeti, but somethingsimilar to that, like a Contigo
or a Yeti or whatever.

SPEAKER_02 (06:50):
Yeah.

SPEAKER_00 (06:52):
Tumblers.
That's what they are.

SPEAKER_02 (06:54):
Tumblers, yep.

SPEAKER_00 (06:56):
Yeah.
Those are always really nice tohave.
I like the big ones, so I canjust fill it up and drink.
Yes.
Keep

SPEAKER_01 (07:06):
that caffeine going.
Incredible.
For

SPEAKER_02 (07:11):
sure.

SPEAKER_01 (07:13):
So another thing that people that are security
conscious might like isYubiKeys.
Those are great.
That's something that you havefor authentication, logging in.

SPEAKER_02 (07:31):
My personal favorite, I actually just
ordered one the other week.
Sitting here on my desk is theYubiKey 5 NFC version.
That way I don't have tostruggle with finding an adapter
for my phone or even getting themore expensive USB-C type one.
The NFC one is not only cheaper,it lets me use it with my phone.

SPEAKER_01 (07:54):
It's

SPEAKER_02 (07:56):
pretty handy that way.

SPEAKER_00 (07:57):
Since it's NFC, have you tried playing around with it
where you could actually stealthat NFC signal?

SPEAKER_02 (08:07):
Not really, but then again I'm not too worried about
that just because of how closeI've had to get it.
I'm sure you could probablyboost the signal if you really
tried, but it just hasn'tbeen...
a particular issue for me.

(08:28):
I mean, if I was really worriedabout it, I'd get something like
a silent pocket or somethingthat makes actual lockers that
you can put your phone in andstuff.

SPEAKER_00 (08:40):
Yeah.
Don't they make a mesh pocket aswell, like a bag that has woven
copper mesh in it that basicallyforms a Faraday cage around it?

SPEAKER_02 (08:49):
Yeah, I mean, that's the idea.
It's basically a Faraday bag foryour phone.
And there are ones that I'm myunderstanding is like they're
actually make decent onesbecause I know there's lots of
brands out there that um don'tmake ones that actually work
that well.

(09:10):
And the silent pocket is onethat I've actually heard of that
is supposed to actually doproper Faraday bags.
I mean, at the end of the day,it's a Faraday bag, right?
So if you boost the signal, it'snot necessarily going to protect
you, right?
So it really depends on whatyou're trying to accomplish.

(09:31):
But for most use cases, Itshould be fine.

SPEAKER_00 (09:36):
The only reason why I brought that up was because
one of my gadgets that I've beentrying to drop hints on is the
Flipper Zero.
The little dolphin Tamagotchithing that's come out.
It's a wireless flipper and youcan sit there and grab NFC,

(09:58):
Bluetooth, Wi-Fi, a whole bunchof different stuff with it.
It's a pretty nifty littledevice so

SPEAKER_02 (10:09):
absolutely the only caveat I would put on that is
that as one of the Kickstarterbackers I've been getting their
you know production logs andwhat not so they've really been
hit hard with the supply chainshortages and so even now
they're still in production oflike their first run or whatever

(10:30):
like the very first few runs soas backers, we're still way
beyond even getting that initialfew badges.
I guess not like initial run,because they had different
stages of runs that they'redoing.
I think I'm probably in thethird stage.
I think they were doing fivedifferent run versions or

(10:50):
something.
Anyway, I don't have thetechnical breakdown, but yeah,
they were way in.
Even getting the LCD screenspecifically for the circuit
board for it, they were waitingon that for a while.
I think they finally just gotthose in.
So yeah, it could be a bitbefore you actually get it, but
it does look pretty darn cool.

SPEAKER_01 (11:11):
So as we're getting into the holiday season, we
should probably be making surewe're talking to kids about
online safety again.
That should be an ongoingconversation, and sometimes you
think you've talked with themwell enough and you've drilled
it into their head plenty enoughtimes, but find out that maybe

(11:32):
they haven't.
So I recently found out that uhmy kids opened up their
minecraft server and theirdiscord server to people from
the internet so we had to have aconversation about that and make
some changes so that they aren'ttalking to some random people
that they don't know

SPEAKER_02 (11:56):
so i know some people talk about like how they
monitor everything and they justlike have everything thing
locked down like how do you feelabout like in terms of like
parenting like are you gonnalike have all your kids devices
just locked down andeverything's filtered and like

(12:16):
all these web proxies and stuffor how like how do you have that
conversation or like how do youapproach that

SPEAKER_01 (12:25):
well I have a level of trust with my kids and right
now that trust has been broken abit And so we're working on
reestablishing that trust.
I don't want to lock down theirinternet access completely.
They have websites that they'reallowed to visit and they're not

(12:50):
allowed to put like their realname out online.
We have certain rules that aremeant to protect them from
people finding out like who theyare online and stuff.
But I want them to also learnhow to use the internet.
So if they, I don't want them tolike share personal identifiable

(13:14):
information and stuff, but theyalso like, they use the internet
for school.
They use it to communicate withtheir friends.
Like we've moved out of state.
So now they don't really useFacebook.
So all of their communicationswith their friends is like
through their, films or theirtheir games so it's I'm also

(13:41):
like evaluating their mentalhealth because they because of
the pandemic they haven't beenable to make friends where we
live now so they're all like allof their friends are online so I
don't want to just cut that outof their life you know because
that would be really hard soit's a balance And it was a

(14:07):
difficult event for us with thatbreach of trust that we had.
And we'll work through it.
And I'm now taking a lot morecharge of their online
communications.
So that adds like an additionalburden to me.

(14:29):
What about you guys?
What do you think, Patrick?
How do you deal with your kidsbeing online?
It

SPEAKER_00 (14:40):
depends.
My oldest, he's 18.
You know what?
He can pretty much do whateverhe wants within reason.
I'm not going to say there's nottraining wheels on my own
network work or guard rails oranything like that internally

(15:03):
you know I run basically DNSguard and stuff like that and
what that will do is knock downjust a whole bunch of not only
is ads and all that good garbageyou can also set up certain
resolver groups for you knowdevices and things like that
with that and so you canactually filter the kids traffic

(15:26):
based on that depending on thekid and how old they are and
what my wife and I deem isappropriate for them they may
not be able to get certainwebsites or anything like that
things like YouTube or anythinglike that they all have
basically sock accounts that wecan use and as parents my wife

(15:46):
and I we can go in and set likewhat content should be available
to them on the account so it'sbetter than just saying no
YouTube or saying here's all ofYouTube you know so that way you
can yeah actually use withinlike youtube kids like those
accounts and you can track anduse basically like the content

(16:08):
filtering within uh googleprovides to get you that stuff
also with that you can then havea spare burner account um if you
ever need it but

SPEAKER_01 (16:21):
uh

SPEAKER_00 (16:22):
yeah i mean that's typically what we do with our
kid they have access to theinternet but like their devices
are um like all enrolled in likescreen time and everything like
that so we control those whatthey can and can't do on the
devices via that they havegeneral content filtering all
that good stuff so um and thenwhen they get mouthy or lippy

(16:46):
you know uh dad plays aroundwith the old ubiquity gear and
uh basically applying ratelimiting and stuff like that so
they end up getting like a 56kconnection on the wi-fi Welcome
back to my day, kids.
This was nice.
Yeah.

SPEAKER_02 (17:09):
RuneScape.

SPEAKER_00 (17:12):
Yeah.
Okay, your hour's up.
I just

SPEAKER_02 (17:16):
logged in.

SPEAKER_00 (17:19):
Uh-oh, somebody's calling.
You just got disconnected.
Exactly.

SPEAKER_01 (17:26):
Yeah, back in those days.

SPEAKER_00 (17:28):
So that I mean, that's typically how I approach
it.
I mean, I, I have trust with thekids, but I'm also going to
guard realm and like, they won'tsee like the full internet
until, you know, that they getteenagers and stuff like that.
Um, like their school devicesand all that.
I don't trust their schooldevices at all.

(17:50):
So they are, they are prettymuch, uh, client isolation mode
and they can get on a, uh, withUbiquity you can run multiple
SSIDs so they have their ownSSID on that that tosses them in
their own little VLAN their VLANcan't talk to any of my devices

(18:11):
or anything like that and I keepthem away from my stuff because
my lab environment will be doingthings that they don't need to
be in and I don't trust theschool district to keep their
stuff up to date or anythinglike that so yeah all that fun

(18:32):
stuff

SPEAKER_02 (18:34):
yeah so is that I think you said something about
AdGuard is that AdGuard.com orDNSGuard

SPEAKER_00 (18:42):
DNSGuard yeah so DNSGuard or if you wanted to do
like a Cisco used to have it wasOpenDNS yeah OpenDNS is very
similar to it What else can youdo?
If you're looking for like opensource solutions, things like

(19:03):
PyHole, PyHole DNS, or PyHole,it's basically a Raspberry Pi
distribution that runs DNS andDCP on it.
And basically you set yourdevices to pull DCP from that
and it will DNS black holethings for you.
I think there's on PFSense, youcan do DNS block as well.

(19:27):
Yeah, there's a whole slew oftechnology that you can roll out
for that but my home networkstack like the non lab side of
the house is ubiquity gearrunning like the access points
and all that fun stuff sotypically leverage a lot of that

SPEAKER_02 (19:48):
oh speaking of ubiquity did you hear about the
hullabaloo over there

SPEAKER_00 (19:52):
yeah that's actually funny the insider 3 You know,
everybody says, oh, there's no,you know, we trust our people.
Well, insider threat rightthere.
Yep.
Did you see how he got caught?

SPEAKER_02 (20:09):
Wasn't it like his$5 VPN had an IP leak?

SPEAKER_00 (20:15):
Yes, a$5 VPN.
That's just hilarious.

SPEAKER_01 (20:28):
Mm-hmm.

SPEAKER_02 (20:30):
Yeah, I mean, a lot of VPNs are just pay to slow
your traffic down, and that'spretty much the benefit of it.
Well, aside from being able toaccess Netflix from other
countries, that's pretty muchyour basic use case at the end
of the day for a lot of those.
Unless you're rolling your own,and even then, that can be

(20:53):
problematic.

SPEAKER_00 (20:53):
To me, it's interesting.
I mean, this is where I'm goingto start sounding old again.
But like back in the earlierdays of internet relay chat, one
of the popular things to do wasto scan for what's called
WinGates.
And WinGates were basicallycomputers running software that

(21:14):
you can openly connect to, likean open WinGate, and basically
use it as a proxy.
And so you'd start scanning,like when somebody would join a
channel, you could kick off aport scan on like a network and
look for open wind gates.
And as you gather more and more,you could use that to feed into

(21:39):
your small botnet or anythinglike that that you may have.
And then all of the bots thatare connecting would then have a
layer of protection.
So when they would try to getDDoSed offline or anything like
that, they'd be attacking thewind gate.
And so the bot could come backon just by pulling another proxy

(21:59):
and connecting through that.

SPEAKER_02 (22:02):
Interesting.

SPEAKER_00 (22:07):
Those were the days.
Since we were kind of talkingabout internet safety and stuff
around the holidays and allthat, make sure as parents or as
security-minded folks, you runupdates on your new devices and

(22:28):
your new toys and everythingeverything like that you know
make sure you're right becauseyou get a brand new like laptop
and all of a sudden you don'thave anything installed on there
or anything like that you startbrowsing the internet you know
and all of a sudden you gotyourself a fun filled malware

(22:52):
machine

SPEAKER_02 (22:54):
so do you do like scripts or do have like
playbooks or anything that youuh put up your new hardware with
when you get it

SPEAKER_00 (23:07):
typically what i'll do is i'll connect it to the
internet only after i'veinstalled like a bare minimum of
uh like tooling available for itso things like i'm going to put
on my web browsers of choicefirst um use like offline update
from for windows uh toss windowson like that everything that can

(23:30):
fit on like a usb key type ofthing so you you know go from a
known good host to here's myother stuff i can deploy up so

SPEAKER_01 (23:42):
yeah good advice all right

SPEAKER_00 (23:54):
or if we want to toss in a plug for Microsoft
here, what you could do is run ahome lab with, say, five E5
licensing in it.
and then toss those new devicesinto an Intune.
And so when you sign into itwith a new device with like your

(24:15):
small domain credentials, Intunewill detect that, oh, hey, you
know, you're credentialed andyou have access to like the E5
licensing.
So that means you can haveaccess to Windows 10 Enterprise
or Windows 11 Enterprise.
And then you can have it kickoff a deployment of your

(24:36):
baseline software that way.
It's all about that zero touch.

SPEAKER_02 (24:44):
Yeah, that's for sure.
Speaking of tooling and tools,there are some interesting tools
that people put out this monthor even websites.
So the first one I was lookingat is called cvetrends.com and
so basically someone took someTwitter APIs and combined it

(25:08):
with data from NIST's NVD.
And so that's theirvulnerability data feeds.
And then they also combined itwith the GitHub APIs.
So it's now in kind of like atweet deck, like column to view
there of 10 most recent ones orsomething like that.

(25:30):
And so then it breaks it down bythe description and severity and
then it gives you all the recenttweets relating to it so it's
pretty cool in that regards

SPEAKER_01 (25:42):
yeah I saw the tweet deck looking one it's nice

SPEAKER_02 (25:46):
and then the other thing wasn't necessarily
strictly security related but ifyou use python at all and you're
familiar with the pandas librarythere's something now called
pandastutor.com which will helpyou visualize how to use the
pandas So pandas helps you workwith basically databases.

(26:13):
And so that's a way you canactually look at what connects
to what else.
And it's a very convenient wayto visualize stuff that would
normally be pretty confusingotherwise.

SPEAKER_01 (26:29):
Yeah.

SPEAKER_00 (26:30):
Actually, if we wanted to tie that back to
security, common thing to do andand Jupyter playbooks is have
Python.
And so if you're doing like abrowser-based type of Python,
that would help you visualizesome of your results and your
data within those Jupyterplaybooks.

SPEAKER_02 (26:49):
Right, so in Jupyter, typically it'll only
show the, like it says on thewebsite, it'll only show the
input data and the final result.
So this helps you break downwhat's actually going on behind
the scenes, it says, as it were.
So what the code is actuallydoing, that's very kind of

(27:10):
step-by-step.
So I think anything that's verystep-by-step can be helpful when
you're just trying to learn it,or even if you're just trying to
debug a problem that's complex.
All right.

SPEAKER_01 (27:23):
I want to remind our listeners to join us on our
Discord.
You can find the link to join atsecurityjibmonks.com.
And we are participating in theTryHackMe, AdventCyber3, as well
as we have the Security ChipmunkSecret Santa Gift Exchange
happening.

(27:44):
So join us so you can come havefun with us and connect with
your fellow cybersecurity-mindedfriends.

All Episodes

Episode 12 - Hackers Wishlist

Episode Transcript

Popular Podcasts

Stuff You Should Know

Dateline NBC

The Burden

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Episode 12 - Hackers Wishlist