Justin Robinson

An Introduction to Automating Open Source Intelligence Using SpiderFoot

SpiderFoot - An Open Source Intelligence Tool

What Is OSINT?

Open Source Intelligence (OSINT) is a methodology for collecting, analyzing, and decision-making using publicly available sources of data. According the Wikipedia, OSINT sources can be devided into te following categories:

  • Media, print newspapers, magazines, radio, television
  • Internet, online publications, blogs, discussion groups, citizen media
  • Public government data, public government reports, budgets, hearings, telephone directories, press conferences, websites, speaches
  • Professional and academic publications, information acquired from journals, conferences, symposia, academic papers, dissertations, theses
  • Commercial data, commercial imagery, financial and industrial assessments, and databases
  • Grey literature, technical reports, preprints, patents, working papers, business documents, unpublished works, newsletters

The purpose of OSINT is to create a tailored level of knowledge (or intelligence) for supporting individuals and groups in making decisions.

A vast amount of information is available publicly. OSINT Framework provides a hierarchical view of hundreds of OSINT resources broken down by a variety of indicators.

What Is SpiderFoot?

SpiderFoot is an open source tool, built in Python, that can query a large number of data sources (over 100 according the website) to gather information on a number of different targets including ip addresses, domain names, and even bitcoin addresses.

SpiderFoot Scan Target Panel

The power of SpiderFoot comes from Modules. Modules are how SpiderFoot organizes data into containers. Some Modules like those that integrate with Shodan, AlienVault OTX, and HaveIBeenPwned, required an API key from those individual services. API Keys can be imported/exported as needed. Approximately 60 services that require API’s are available via SpiderFoot.

Scanning in SpiderFoot is as simple as giving the scan a title, a target, and then by selecting the Use Case, Required Data, or Modules that you’d like to use. Scans can be as detailed or as broad as you’d like.

SpiderFoot Scan Settings Panel

Results are available via several dashboards including the Summary visual below. You can also browse the data in a table, and exclude duplicates, as well as view the data in a graph showing you the connections between data points.

Spiderfoot Scan Summary Panel

In summary, SpiderFoot is a web-based tool for collecting, analyzing and storing OSINT data, and is completely open source. It has its limits, like only being able to complete one scan at a time. However, it’s so easy to setup and can be virtualized using Python Virtual Environments, that analysts can easily have their own instances.

Cybersecurity Daily News for June 20, 2021

Writing

In today’s news; Texas school district hit with ransomware, no phones or email services; News York City’s law department hit by targeted cyber attack; and information from over 500 patients obtained during St. Mary’s, Sisters of Charity hospital data breach.

#cybersecuritynews #infosecnews #ransomware #databreach #cyberattack

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

A Beginner’s Guide to TLS/SSL Certificates and Website Security

Raise your hand if the company that you work for has a website, or you, yourself, run a website. That’s a lot of hands!

What Is TLS/SSL?

We often talk as if Transport Layer Security (TLS) and Secure Sockets Layer (SSL) are the same thing, however, their more like successor and predecessor. Both are cryptographic protocols that are designed for secure communications. The last version of the SSL protocol was 3.0 and was published by the IETF in 1996. A major vulnerability, given the name POODLE, was disclosed in 2014, which essentially brought an end to SSL.

TLS 1.0 was defined as an upgrade to SSL in a request for comments (RFC) in 1999. The protocols aren’t substantially different, and the name change had more to do with the fact that the IETF wanted to ensure that it was apparent that this was a fork of the protocol.

Regardless of whether we say SSL Certificates or TLS Certificates, we’re almost certainly using the TLS protocol.

Website TLS/SSL Certificates

A TLS/SSL Certificate is a pair of files where one file contains a private key that only the server knows, and a public key that is used to create a trusted relationship. A process known as a “handshake” occurs when you visit a website that uses an SSL certificate. This handshake can be a little confusing, but the below diagram does a pretty good job.

Source: https://www.entrust.com/resources/certificate-solutions/learn/how-does-ssl-work

How TLS/SSL Protects Your Website

The purpose of a TLS/SSL Certificate is to create a trusted relationship between your computer’s web browser, and the server hosting the website. Once this relationship is created, any communication between these two points, your browser and the website server, is encrypted using the private key that only the server has knowledge of. This is how TLS/SSL protects a website visitor’s financial information, such as credit card number, when they enter it into a form on your website.

Along with Encryption, the TLS/SSL protocol are ensuring a form of Authentication and Integrity. Once the relationship is established you can be sure that the communications being exchanged aren’t being manipulated and are being sent and received by the same two parties.

TLS/SSL Testing

Not all TLS/SSL Certificates are the same, and not all website servers implement these certificates in the same way. Implementing TLS/SSL incorrectly, or not configuring the web server with the appropriate settings, can lead to insecurities. Testing your TLS/SSL should be added to your annual checklist and can ensure that your TLS/SSL Certificates are in tip-top shape.

Here are some resources that you can use to easily test your websites.

  • SSL Labs by Qualys – One of our favourites; allows you to hide the results from their community boards for added privacy.
  • Mozilla Observatory – Choose to not show up in public results, and even not get scanned by third-party scanners. Observatory not only scans for TLS/SSL issues, but also for HTTP and SSH issues.
  • Wormly – Wormly gives you a simple TLS/SSL health check report.
  • CryptCheck – Something a little more technical; CryptCheck also runs tests on SSH, SMTP and XMPP.
  • SSL Checker – Visualize and verify the certificate chain.
  • TLS Version Check by Geekflare – Quickly check if your web server uses a deprecated version of TLS.
  • How’s My SSL? – They really mean, “TLS”. How’s My SSL gives you a simple report and rating on your TLS certificate. It also offers an API.
  • Digicert SSL Installation Diagnostics Tools – Diagnostics tool that also allows you to check for common vulnerabilities.
  • SSL Checker – SSL Shopper providers another tools for verifying your TLS/SSL certificate install.

Other Resources

The Mozilla wiki has a great resource that includes details on TLS cipher suites and other TLS configurations to help you improve web server security. I’d be remiss if I didn’t mention the Mozilla Developer Network (MDN) Web Docs which is rife with articles, references, and guides for better web development.

Cybersecurity Daily News for June 19, 2021

Writing

In today’s news; Carnival Cruise Lines leaks customer and employee information, again; Humana, a U.S.-based health insurance company, sued after exposing personal data; and Blackbaud data breach still affecting people.

#cybersecuritynews #infosecnews #ransomware #databreach #cyberattack

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

Cybersecurity Daily News for June 18, 2021

Writing

In today’s news; East Montreal health authority hit by cyber attack, patient data compromised; Continued attacks on critical infrastructure; and hackers are selling FIFA 21 source code after EA data breach.

#cybersecuritynews #infosecnews #ransomware #databreach #cyberattack

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

Insider Threats and Reducing Risk

According to the 2020 Cost Of Insider Threats Global Report study presented by Ponemon Institute and sponsored by ObserveIT and Proofpoint, insider threat related incidents are averaging a 12-month cost of $11.45M for those organisations polled. You might be thinking that you’re just a small business and you know that known of your employees would be party to a cyber attack, you may want to reconsider.

What is an Insider Threat?

An insider threat isn’t just an employee who wishes to do damage to their company. An insider threat can also be defined as a careless employee, or contractor, as well as any form of credential theft. More generally, an insider threat is any threat that is performed by anyone associated with your organizations who may have inside information (non-public information) regarding your organization’s policies, security practices, data, systems, and even people.

Types Of Insider Threats’ 1

An insider threat goes beyond intentionally taking advantage of access that was legitimately given. Insider threats are broken down into the following three categories:

Negligent InsidersMalicious InsidersInfiltrators
Current or former employees, contractors, or business partners who unknowingly or carelessly make errors, and disregard policies. Current or former employees, contractors or business partners who knowingly disregard policies. and attempt to inflict harm to an organization using the information and access they have available to them. External threat actors who obtain legitimate access to an organization.

Negligent and malicious insiders are more common than infiltrators, however, infiltrators are apt to do much more damage.

Reducing The Risk Of Insider Threats

Insider threats are a risk that your organization can reduce without necessarily spending additional money on security controls. The one commonality between the different categories of insider threats, is people. There are a number of administrative and technical security controls that you can implement today.

Employee Hiring/Termination and Awareness Procedures

  • Have appropriate employee screening during the hiring process for persons who handle sensitive or proprietary data, such as background and credit checks.
  • Processes and procedures for employee termination and offboarding including roles and responsibilities for those involved.
  • Raise awareness to the various types of insider threats to both new and tenured employees.

Access Control

  • Having an appropriate access control strategy documented and reviewed annually, is essential for any information security program, but can also reduce the risk of experiencing an insider threat.
  • Principle of Least Privilege states that each user should only have access to the accounts and services that they need to do their jobs, day-to-day.
  • Separation of Duties is an important concept that encourages the act of access separations based on duties. An example of this is a Desktop Support Analyst having two corporate accounts (joe.analyst & joe.analyst-admin), one account for standard use and the other for elevated/administrator needs.

Device Management

  • Policies and procedures for the appropriate use of company devices and BYOD devices.
  • Ensure that employee devices are keeping logs if audits are needed.
  • Endpoint monitoring or data loss prevention (DLP) technical controls can detect and prevent various insider threat actions.

Third-Party Risk Management

  • Third-party vendors, consultants and clients must not only follow any outlined security policies within your organization, but should also have policies and procedures of their own surrounding insider threats.

1 https://en.wikipedia.org/wiki/Insider_threat

Cybersecurity Daily News for June 17, 2021

Writing

In today’s news; Ransomware gang, Cl0p, gets clamped; Secret FBI-run encrypted messaging network used to catch worldwide criminals; SEC fines First American Financial $487k over data breach.

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

The Dangers of Reusing Passwords and Password Security Tips

You don’t need to tell me how annoying keeping track of your passwords is, and you really shouldn’t be expected to remember a subset of unique passwords for every login that you have; that might be a lot of passwords. So why is it then, that passwords are still the primary authentication mechanism for most of our logins?

The first use of password authentication is suspected to date back to the 1960’s at the Massachusetts Institute of Technology (MIT) during the development of a time-sharing computer, the Compatible Time-Sharing System (CTSS). Even then, passwords were not very effective and they have only gotten worse.

Risks of Reusing Passwords

I know many people who have a few passwords that they use over and over again on the different accounts that they need passwords for. This includes both work accounts and personal accounts. This wouldn’t normally be a problem if it weren’t for the almost 7 billion people in the world, very powerful computers, and data breaches. Let me explain.

How Data Breaches Increase Password Reuse Risk

Every time a data breach occurs there is the risk that an attacker will obtain usernames and passwords. What is increasingly happening is that these password repositories (both encrypted and unencrypted) are being sold, or traded between cyber criminals. This allows a cyber criminal to obtain large subsets of possibly legitimate credentials without doing much work.

Using these credential repositories cyber criminals can automate checks and logins to determine if any of the credentials are still valid. Once they’ve determined if any of the credentials still work, they can either use it to continue the cyber attack or sell the credentials to other criminals including nation states such as Russia and China.

Moore’s Law and Increasing Microprocessor Capabilities

Moore’s Law is an observation that the density of transistors in microprocessors doubling approximately every two years. This increase in density has lead to a direct effect of the increase of microprocessor capabilities

Passwords can only be as complex as our language, as well as any other limits we place on passwords (i.e. special characters), thus our passwords have limits. As computers become more and more powerful, they become more and more capable of performing a lot of calculations in a short period of time. Cracking or guessing a password involves using hardware in order to try and recover passwords.

There are a number of different methods and applications for password cracking but they also work similarly. They attempt to take a given input, cryptographically hash it, and compare it to the hash of an encrypted password that we have. If they match, then we’ve guessed the password.

Due to this increase in power, passwords have actually become weaker over time in terms of how quickly a certain length can be cracked. Here are some estimates from betterbuys.com.

Password cracking times decreasing between 2000 to 2016.

As you can see, a 9 character alphanumeric password in the year 2000 would take almost 4 years to crack. As of 2016, this same 9 character password takes just under 3 months.

Password Security

As I mentioned earlier, it’s not feasible to remember a large subset of unique passwords for every account that we may have. So stop trying to remember them!

Password Managers

Password Managers such as LastPass and BitWarden not only allow you to store passwords, but they also allow you to generate random passwords based on needs. Your password manager will have a single password to access, and then will provide you with complete plain-text access to all of your passwords.

By using your password manager, generating a random password for every login, and storing it securely, you will never have to remember any of your passwords other then the one that you use to login to your password manager.

Even if your password is stolen, it’s uniqueness prevents it from being used on any of your other accounts.

Multi-factor Authentication

I’ve mentioned Multi-factor Authentication (MFA) many times before. In short, MFA adds a second and even third authentication method that must be successfully entered, along with the password.

Authentication methods fall under three categories; something you know, something you have, and something you are. A true MFA solution must have at least two of these methods involved. Here are some examples of authentication types that fall under these categories.

Something You KnowSomething You HaveSomething You Are
PasswordSmart CardFingerprint
Software RSA Token (Mobile Phone)Voice
Hardware RSA TokenRetina/Iris
Face

Length Is More Important Than Complexity

Although it’s recommended that we include not just letters, but also numbers and special characters in our passwords. At the end of the day, the length of your passwords is going to be more important then the complexity. An 8-character complex password will still be cracked before a 20-character simple one.

Cybersecurity Daily News for June 16, 2021

Writing

In today’s news; Toronto’s Humber River Hospital discloses ransomware attack; Intuit suffers data breach from compromised TurboTax accounts; and Alibaba exposes 1.1 billion records of data.

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up