I changed my github username

For whatever reason I today decided to change my github username from

deralexxx

to

jaegeral

To match some other profiles I use that username. It seems easy to do, but be careful, it also breaks stuff.

If you also want to do that, have a look at: https://help.github.com/en/github/setting-up-and-managing-your-github-user-account/changing-your-github-username

Plus I would recommend afterwards to register your old username with a different mail address to protect from people trying to claim repository links you previously owned.

Timesketch new UI example

Timesketch, the open-source timeline collaboration tool recently upgraded the UI and that is why I am writing a new blog post to show the new UI by processing a E01 image via plaso.

First, install plaso and timesketch (in my case I used both via docker images as it is the easiest way to get it running.

As a scenario, I am using the image file provided by NIST. Which has been covered in many many blog posts already.

Processing via plaso

First, run the plaso docker container where the image file is stored.

 docker run -v /evidence/:/data log2timeline/plaso log2timeline /data/evidences.plaso /data/4DellLatitudeCPi.E01

That will run for a while.

plaso - log2timeline version 20191203

Source path		: /data/4DellLatitudeCPi.E01
Source type		: storage media image
Processing time		: 00:23:38

Tasks:          Queued  Processing      Merging         Abandoned       Total
                0       0               0               0               12210

Identifier      PID     Status          Memory          Sources         Events          File
Main            7       completed       293.9 MiB       12210 (0)       168913 (0)      
Worker_00       14      idle            288.7 MiB       5804 (0)        82139 (0)       TSK:/WINDOWS/system32/config/systemprofile/Start Menu/Programs/Accessories/Accessibility/Utility Manager.lnk
Worker_01       16      idle            268.9 MiB       6405 (0)        86774 (0)       TSK:/WINDOWS/system32/config/systemprofile/Start Menu/Programs/Accessories/Entertainment/desktop.ini

Processing completed.

Number of warnings generated while extracting events: 2.

Use pinfo to inspect warnings in more detail.

MD5 (evidences.plaso) = 82ed76c50a6152a8c96cd959ad494b53

Install and start Timesketch

For this sample, I used the dev version of docker according to https://github.com/google/timesketch/tree/master/docker/development

docker-compose up -d
export CONTAINER_ID="$(sudo docker container list -f name=development_timesketch -q)"

Import data

Create a case via Web UI

Create the Case in Timesketch

I decided to upload the plaso file via Web-UI.

Timesketch data upload

Also in the Web UI, process feedback is visible

Timesketch data uploading

Now data is being indexed

Timesketch data indexing

This will trigger an entry in the debug output

[2019-12-30 19:22:38,018: INFO/MainProcess] Received task: timesketch.lib.tasks.run_plaso[2ab18910-e2e1-4b0d-977c-948605b335dd]  
[2019-12-30 19:22:38,088: INFO/ForkPoolWorker-1] Index timeline [evidences] to index [d3cf025c5c94498e8300190d92e483ae] (source: plaso)
[2019-12-30 19:24:13,148: INFO/ForkPoolWorker-1] Task timesketch.lib.tasks.run_plaso[2ab18910-e2e1-4b0d-977c-948605b335dd] succeeded in 95.0877274190002s: 'd3cf025c5c94498e8300190d92e483ae'

Data exploring

After indexing, the data is ready to be explored via Timesketch

Analyzers

One of the new cool features is Analyzers. These analyzers run predefined queries on the data of a timeline do some actions like

  • add tags to matching events (e.g. phishy-domains)
  • add new fields to an event (e.g. browser search would add a field called „search_string

Answering questions

To showcase the power of Timesketch, let’s try to solve some of the questions of NIST that came along with the image

What operating system was used on the computer?

This is rather easy as plaso already has a parser for that, so searching for „Windows NT*CurrentVersion“ will do the job

What is the timezone settings?

Again, plaso is already parsing that, searching for „timezone“ will show „ActiveTimeBias: 300 Bias: 360 DaylightBias: -60 DaylightName: Central Daylight Time StandardBias: 0 StandardName: Central Standard Time

Ständer für Surly Troll, Ogre and ECR

Seit ich vor ca. 1,5 Jahren mein Surly Orge gekauft habe, störte mich im Grunde nur eine Sache: der fehlende Fahrradständer. An vielen Orten ist es ohne Probleme machbar, das Rad anzulehnen, aber eben nicht überall.

Irgendwann bin ich dann auf dieses Video von Craig Meyer auf Youtube gestoßen:

Dort listet er folgende Dinge auf, die man benötigt:

Die Montage an sich dauert dann keine 30 Minuten, ich habe nicht mal das Hinterrad ausgebaut und trotz Scheibenbremse mit etwas Fingerspitzengefühl machbar.

Und so sieht das Ergebnis aus:

Surly Ogre Fahrradständer
Surly Orge Kickstand Verschraubung kein Problem mit Scheibenbremse
Surly Ogre Kickstand Ansicht
Surly Ogre Kickstand ausgeklappt

Einzige Herausforderung ist noch die Gelenkschale für einen Thule Chariot, die jetzt so angebracht ist, dass sie wohl nicht nutzbar ist. To be continued…

36c3 Day 1

So day 1, I arrived around 11 AM and got myself in a queue which was surprisingly well organised and fast-moving. There is even a page to show waiting times for the last few years.

Once passing the entry area I was a little overwhelmed, lights, people, noise everywhere and the space seems simply large…

At some assembly, I met a good friend and long-time CCC / C-Base hang around who introduced me to some people and within a blink, 3 hours of conversation were gone.

Along the way, I learnt stuff about Freifunk, open firmware, and many more, but the most important thing – very good conversations and friendly people.

An aspect that is not covered much in blog posts or wikis is food. I was not sure how to prepare for the long days in regards to food and drinks. Turns out there are a lot of bars serving Mate (of course), beer, cola and other stuff and there are a lot of food places, so no a problem there (not vouching for the quality…)

Hacker Jeopardy was something I was curious but watched back in the hotel.

36C3 Day 2

Pretty early, for congress standards I guess, hit the CCL around 11 AM and most floors and assemblies were empty, which had its own vibe.

Some people I wanted to meet during the congress I tried to meet today and was quite successful with.

By accident, I ran into a pitch of „| age“ a tool „a simple file encryption tool & format“, which looked quite cool and will try to play with it at a later point.

36c3 part 1

For many years I wanted to go to a CCC and this year because of different reasons I was finally able to go, this blog post is going to cover my planning and following posts will hopefully follow.

Preparing

There is a log of coverage already how to prepare for a congress. Obviously, you need a ticket. I got my ticket thanks to a co-worker who is a pretty active member of a local chaos group, so was fairly easy (thx stean)

So after getting a ticket, a place to stay needs to be found. In most cases, I run with AirBnB, this time I was unable to find a cosy place nearby so I ended up doing a hotel reservation and I hope this was a good choice.

And last but not least, transportation. The way to go here for me is using german railway services, Deutsche Bahn. There is even a special page from Deutsche Bahn to get a special ticket for a lower price.

Stuff

Of course, going to a conference you need your basic stuff as for every conference/travel, so I will not go into that too much. Especially for the congress, I tagged most of my gear that I plan to bring to the venue with my twitter handle and my domain so that it is easy to find the owner.

In addition to my normal list I packed the following items:

  • permanent markers (white/black) – maybe I can help with those
  • Magic ties (Amazon link) – I love those things
  • Stickers (mostly for FIRST)
  • batteries (AA+AAA) because why not.

A water bottle, because @c3himmel asked for it:

Tech

The tech also needs some extra time, in particular, updating every service/application running is critical. As I do not trust the wifi (as with any other wifi) VPN and a backup VPN was tested/updated.

To be able to work on stuff I also freed up some space on the devices, just in case.

Power up batteries, external power supplies and co. I do not want to run out of power.

Further reading

Fotos Maxdorf Triathlon 2019

Auch wenn ich leider nicht am Triathlon in Maxdorf teilnehmen konnte (irgendwann schaffe ich es mal an die Startlinie) haben wir das perfekte Wetter genutzt für einen kleinen Ausflug an die Radstrecke dieses top organisierten Wettkampfes, ich habe die Kamera ausgepackt und wir haben gute zwei Stunden die Radler angefeuert.

Aus eigener Erfahrung weiß ich, wie positiv selbst einzelne Anfeuerungen am Rand helfen. Und auch richtig cool wieviele Athleten sich für den Zuspruch bedankt und mit uns gelacht haben.

Da ich mir nicht sicher bin, ob es einen Foto Service gab, bzw, ich mit den Fotos nichts verdienen will, habe ich einfach alle ohne Aussortieren hochgeladen.

Die Bilder dürfen zur eigenen Verwendung unter CC-BY-SA genutzt werden unter der Nennung von Alexander Jäger als Fotograf und über einen Link hier her freue ich mich immer.

Viel Spaß mit den Fotos:

https://photos.app.goo.gl/WfPxrPGuwvnrzorv8

Convert curl to python request

While writing some code, I stumbled across a API documentation, that only had curl examples (prefer to have curl examples over no examples at all) but I had some troubles converting it to proper python code and a friend recommended a page called: https://curl.trillworks.com/

Convert curl syntax to Python, Node.js, R, PHP, Strest, Go, JSON, Rust

And it is even available on github. How cool is that?

This blogpost is only to save it as kind of a bookmark for future coding adventures.

CobaltStrike data with passiveSSL

Today, FoxIT published an blog post with an github repository listing potential CobaltStrike servers for the last few years.

I was interested in the data so I processed the data with my osint-timesketch scripts to add passiveDNS and passiveSSL data. I only took the IPs that where last seen >2019 to not create to much data.

Adding it to timesketch was pretty straight forward:

sudo tsctl csv2ts -f output_cobalt.csv --name cobalt_strike
Indexing progress: 23000 events
Total events: 23650

Some quick findings, after searching for google I discovered several weird certificates, among them.

Some weird things: safebrowsing(.)net is not owned by google, the IP to that certificate accoring to Virustotal https://www.virustotal.com/#/ip-address/204.154.199.184 is resolving to microsoftapis(.)com – for sure nothing good.

Some other funny things where found by a quick look…

Hack me if you can

Hack me if you can

Happy Hacker fake CA

Happy Hacker Fake CA

This outlines the importance of:

  • Share the data (kudos FoxIT!)
  • Provide researchers access to data sets (thx to CIRCL and Virustotal!)

My dataset is available on github.

Talent gap in security

Screenshot Github repository

There are a whole bunch of articles outlining the talent gap in security related positions. More and more jobs require IT skills and IT systems are more and more integrated in all areas of our life with an dramatic increase of open positions in security and privacy.

People living in areas like SF / silicon valley, New York or Zurich can find easily new jobs within days, but those locations are also very expensive and some companies can not hire there.

There is a good opportunity to fight the talent gap: hiring remote

This post is not to outline the benefits of shortcomings of working / hiring remote but the fact that it is very hard for candidates to find companies welcoming remote security minded people.

On the other side, companies have a hard job, market themselves against the big brands to attract remote people.

That combined is the reason I created yet another list on github, called companies-hiring-security-remote. It is a curated list and open for issues / pull requests to act as a platform for job seeking people and companies to give them a little more visibility.

I really hope that this will help people and I am happy to receive feedback.

Link to the repository: https://github.com/deralexxx/companies-hiring-security-remote