Infosec Press Reader

18. Top 5 Things to Do When You're Lifting & Shifting Workloads to the Cloud (and a bonus one)

January 28, 2024

Earlier this week, someone asked me for my top 5-10 things I would recommend to an organization lifting & shifting workloads to public cloud. I thought that was a good starting point. “Refactor” for cloud-native is the common answer, but the reality is that everybody lifts & shifts, so why not recognize that.

So, here are my top 5... and I'll add a sixth as a bonus.

Centralize and automate cloud account creation and billing, and ensure that all are in your public cloud Organization. This will allow you to apply policies centrally, and more easily deploy cloud-native security tooling.
Apply cloud guardrails at that Organization level to apply basic preventative controls and make your cloud accounts behave more secure-by-default. These are likely the cheapest and most effective security controls you can apply to enforce logging, encryption standards, network restrictions, MFA enforcement, etc.
Get a Cloud-Native Application Protection Platform (CNAPP). This can be deployed via Organization policy and provides broad visibility to your cloud estate, across providers and for multiple use cases, including asset discovery, CSPM and vulnerability management.
Related to that, while lifting & shifting your workloads, resist the urge to lift & shift your secure tooling from the data center. Look at what the CNAPP gives you, and see whether you may not be able to rationalize your security stack, retire point solutions you no longer need, and reduce cost.
Cloud APIs give you the opportunity to describe the infrastructure and services you want and have the cloud materialize that for you, rather than do everything yourself. It is designed for automation. Use Infrastructure-as-Code (IaC) to create your infrastructure, network and service configuration, create compute instances and deploy your VM images. IaC allows you to redeploy from known-good state, which accelerates patching, system configuration and restoration, while making deployments more predictable.

The Cloud is Metered

One bonus recommendation, given the difference between owned and rented compute, network and storage resources. Remember that everything in the cloud is metered and that your architectural choices have potential significant cost impacts. Don't size like in data centers with head room to spare. Figure out what your workload needs. Smaller instances but many of them may be cheaper than fewer large instances. If the workload is variable (seasonal, variable during the day), consider autoscaling. If the workload is static, use reserved instances at lower cost.

And after you have done all that, feel free to refactor!

December 31, 2023

from acrypthash

End of the Year Wrap Post

Greetings fellow hackers! I hope everyone had a productive and prosperous year! This blog post is going to be pretty big and all over the place as I discuss what I have been up to over the past few months. It's been quite a ride :D. I am so grateful for this year and how much I've grown.

TLDR; DailyPay Okta breach, Malvertising and it's woes, security conferences, learning, GCP security, what's to come in 2024.

The first thing we will discuss is a security event that happen with a vendor called DailyPay. For those of you who don't know, “DailyPay is an American financial services company founded in 2015, which provides payroll services such as earned wage access.” The vendor was experiencing odd API requests coming from customer tokens (insert sweaty cat here). We started seeing notifications of odd logins and reached out. Apparently this was related to the Okta breach. Ultimately we rotated tokens, assured user logins all had 2FA (which they mostly did), and sat tight. A bit anticlimactic but we managed to avoid something bad from happening. It also taught me the value of actually calling up a vendor when you suspect something odd.

Malvertising is a TTP that is difficult for end-users to understand. It's hard to identify and easy to fall for. We work hard to train and explain these things in terms that end users can understand, but to get someone to actually remember to think with security in mind for their day to day is difficult and not realistic. For our organization, we need browser level security. We are a Google Workspace shop, so we could do some management at a browser level in Chrome, but that is limited and not ideal. ZScaler or a full fledged MDM is probably going to be the solution for us. In the past month we had an end user that fell for this TTP when they googled “Amazon” and clicked on an ad that redirected them to a phishing site. The phishing site is meant to trick you into thinking you had to call “Microsoft Support”.

I have also attended several security conferences this year! – PancakesCon (virtually) – BSides Harrisburg – BSides Philadelphia – Secure World Philadelphia – Defcon 31 – JawnCon – Cybersecurity Summit – Hardford, CT

Attending all of these conferences throughout the year has been such a fun and exciting learning experience. I've networked, learned new skills, learned lockpicking, and I have even started doing talks of my own at Penn State!

I have spent a lot of time reading whitepapers and learning the granular things that comes to writing malware and exploits. I have tested these exploits against the environment at work and have learned a lot about remediation! I've learned how to program in Python, Rust, and C! I've learned the classic VirtualAllocEx –> WriteProcessMemory and why not to use it in new malware that I write. I have learned the inner workings of process injection as well. By no means am I an expert, but my understanding in all of this has dramatically increased over the last year. I plan to continue to learn more about malware, about defense evasion methods and more.

We are Google shop and with that we inherit GCP. I am quite impressed with GCP security. There are several out of the box configs that aren't super great, but you are able to lock things down pretty easily. I had implemented things like terraform scans back when I first started, but now we are ingesting a lot of really interesting data into Datadog. With Datadog, I am able to get alerts in real-time on what our K8s are doing and so much more. We have also integrated Datadog alerting into various Slack channels.

The beginning of 2024 is going to be busy. We are deploying our new phishing campaign out to end users, I am building another IR tabletop to do by the end of January, among other things. I am actually utilizing a bit of AI into building the template for my IR tabletop. Due to CitrixBleed being so popular, I think that is what our topic is going to be about.

2024 is going to be having several major projects such as: – LLM build out for IR training and input (more to come) – 2 IR tabletops (one Citrix, the other pending) – Better coding and reverse engineering skills – New training for all employees – More blog posts that have more value

I am so excited for more blog posts and projects! LETS GO!

December 28, 2023

from AnOtterCity

Test

Hello

Hi

December 28, 2023

from AnOtterCity

This is an example.

Looking ahead to 2024

December 28, 2023

from Personal Blog

2023 has been a huge year for me, for many lows in my career, as well as amazing highs. However I’ve always felt something missing, an urge left unscratched, so I’m making this post to plan out my 2024 personal projects and learnings that I want to undertake; a sort of “reflection journal” if you will.

Throughout 2024, I plan to revisit this post to reflect on what I’d like to achieve and how I’m tracking in achieving my goals. This will be followed up with a post detailing how everything is going, what my highlights have been and any potential blockers I’m facing. So, let’s begin with the goal setting!

In no particular order: – Publishing 2-3 articles on my security blog: I’m already in the draft stages of 1 post, however I got lazy and sort of lost interest. Once I can get that closed off, I have a feeling the rest will come more naturally and I should be able to achieve this quite comfortably. – Filling out my repo with content: Standing up my repo and filling it with content is a huge item on my list for the coming year. This will not only help my personal understanding of my security work but also give me something tangible I can use throughout my career. – Filling up my Wazuh instance with agents and directing logs to it via Syslog: Mid-2023 I stood up a Wazuh instance on my internal network, on a Raspberry Pi 4. Currently, I only have 1 agent connected to it and I don’t check it nearly as often as I should. Going forward, I want all computers to have agents installed, and gather logs from my IoT devices to ensure nothing dodgy is connecting to my network. On top of this, working on automations so I don’t have to check things manually will be a huge assist. Having an internal SIEM isn’t something I’ve stood up because I’m paranoid, rather it will help me gain skills across other platforms to help further my career. – Stick to a fitness plan: Looking after my health isn’t something that’s been top priority for me through my 20s, but with 30 fast approaching I’m starting to feel the repercussions of not taking it seriously. In 2024, I want to become much more disciplined with my health, going for runs, lifting weights and generally being more healthy so I’m around on this Earth for as long as possible.

Here’s to a prosperous 2024, for everyone! 🥂

The "olux" and/or "oxo" or whatever guys

December 22, 2023

from Ducks

Their telegram account: hxxps://t.me/oluxshopsite/ 2 336 subscribers Olux Buy Tools, Shells, web shell, RDP, SSH, cPanel, Mailer, SMTP, Leads, Webmail, Cards, Account, Pages, olux, Olux SHOP, olux store

hxxps://t.me/oluxshopsite/729: Tutorial Video Cpanel & shell & Smtps & Mailler 1$-10$ Rdps & Office logs & Leads & Numbers 1$-20$ Accounts & webmails & Pages & Methods 1$-500$

you can top up your account instantly few seconds with bitcoin Send the exactly number of Bitcoin or more don't close the payment page. u can refresh page

Any Problem with the order:Submit report to seller Seller didn't fix problem within 5 hours.We will refund Buyer. Buyer didn't reply within 24 hours after seller.We will Close report. Note:avoid multi reply. hxxps://olux.li hxxps://oluxshop.li t.me/oluxshopsite/729 edited Sep 28 at 07:43

cdn4.cdn-telegram.org/file/cff2fa7546.mp4 —> not able to catch that one.

IP-address 162.55.238.94

I first stumbled across a cryptofraud site on that IP. But I also found sites on the same IP with hidden content. One or more lines with the following content on one or more pages on the same domain, first example: view-source:hxxps://www.bitwealthasset.com/ : hxxps://www.oxo.si/'>Buy Spamming Tools, Shells, web shell, RDP, SSH, cPanel. I don't know the value of this, some kind of “seo” maybe? Other domains with the same or variations of the code:

bluerichfoods.com bxplorer.online tocpharmaceuticals.com euphoriaeventplace.com (24 rows with the code) abbasheartinternationalministries.com abdanielstradomedhospital.com caishencharteredtrust.com capitalgrowinvest.com capitecfin.com cattyinvest.com cheeckstox.com educurrency.top

citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is (which celebrates christmas). “Buy Leads”and “SMTP” has sneaked in some places in what “services” they seem to provide.

clarity-options-trade.com climaxpaytrading.com coinswalletsapp.com commercial-trading.com conexriseltd.com crescent-funds.com crownenergy-investment.com cryptohive.online cryptohubmine.com cryptoinxhange.com cryptotradinggai.com bettercryptoinvestment.net climatefitsolutions.com educurrency.top (redirectet from chuksblog.top) clarity-options-trade.com climaxpaytrading.com cloudminingcity.com coinstitude.com combdb.com commercial-trading.com corporateuniontrustbank.com couttss.com cryptnetverse.com cryptoevolution.info cryptohubmine.com cryptoinxhange.com cryptoref.info cryptospotpro.online daily-gt.com dashtradefx.com debulad.com decentralisedincome.com deroyaleservices.com doubleyielders.com empablockmarket.live eqtycdf.com euphoriaeventplace.com expertminer.online firstcornerstoneb.com firstmidwsb.com firstspringcu.online flaretrustline.app ftxdailyincome.com fx-primetradhub.com fxnetworktrading.com getmypins.com/manage/ ggemfx.com glimcoinfx.com globalbestcutbutchers.com (in total 190 lines of code) globalbinarycpro.com globalprimefinance.com globalsignalexpertmarkets.com globewritershub.com glockamory.com gnbancorp.com godfelhrconsultancy.com goldenmovicltd.com grandoption.org grantbakingonline.com greencoastonline.org greenpathtb.com greenpathtrust.com gricunashr.com hakkbully.com hakkdomain.com hakknocrat.com haloinvestpro.com hashmarketfx.com heritagecapitalfx.com heritagecf.net heritagepvltd.com hfplatform.live hoardblockexplorer.info hoardfx.com hoperbookings.online horizonjury.com icbcsbnk.com iconiccanna.com trades.idealtradesignal.com instaplug01.com intconib.com intertrustbk.com itechglobehack.com jkcostant.online kathleencahillmariconda.com kryptofxcore.com legacycrf.com legcreditf.com liamfinancing.com liteinterext.online luminerybank.com lumineryfb.com luxorrtech.com masterfxtrade.live mauricugointernational.com mectomfx.com megafxoptions.com midascryptotrade.com milesassetltd.com digitechcompany.cloud/en/public/ (redirects from minecoins.online) moleystonescapitals.com mycrypai.com mypnconline.com myviasupport.com nationalcreditunion.online niketradeprime.com northcelly.com northernsb.com omegafinanceleasing.com optimoser.com optimuminternationalmarkets.com ordezenterprise.com peakhash.com pinb.online premier-option.com primeglobalinvestments.live/home/ profxcrypto.com prohakks.com propertiesloans.com prudcrb.comstockstradersfx.com standardcorpb.com stuartfellstaffordshirebullterriers.com successfulfx.online suisepay.com surfhakks.com swisslitebank.online syngenresources.com tcloudusdt.com tescoinv.com titantrustb.com (site copied from cnl.com, which was registered in 1995 and seems “legit”) tnbancorp.com tocpharmaceuticals.com (on a buttload of links on this domain) tokssphere.com tonensiadiamonds.com top-m.online topromedics.com torchcart.com trippydelics.store tsbcadvisor.com ualliancecrdu.com ultimafxoption.com ultimaterealistic.com ultimatexplorer.info

ultrafxoption.com * A bit interesting is that the code did not exist on ultrafxoption.com on November 30th 2022 according to urlscan.io. But shows up in a scan in December 2023. Did all sites got this code injected in this timeframe? Can only speculate. Or use a lot of time trying to find out.

uniqueglobaloptions.com vacationdepts.info vertextradings.com vitalityplc.online waxiprofit.com wcouservice.biz web-gmd.com westagefinance.com * According to urlscan this domain contained the code also on December 4th 2023 winnersviewoptioninvestment.org wisgodynamic.com wmovelogistics.com wolf-trademarket.cfd world-miners.com wourld-cour.com xiloans.com xpressct.com xtrafcb.com xtrainterextcorp.com xtrainterextfb.com xtrainterextfcb.com xtratreasury.com ysmbundle.com ziraatinternationalcorporation.com * According to urlscan this domain contained the code also on September 11th 2023

citricosartaca.com is apparently a blank page, but contains almost 40 lines, but with different additional domains and keywords in the code. Contains links to the following domains: oxo.vc (gone), oxo.si (127.0.0.1) and oxo.is which celebrates christmas. “Buy Leads”and “SMTP” has sneaked in some places in what “services” they provide.

Various search engines gives hits to other sites on the same IP, but the hidden stuff is now gone: fujowillbusiness.com/sample-page/ wmtips.com/tools/info/sh3elltools.to hxxps://www.hotelfontana.de/magazin/tag/ayurvedische-reinigungskur/ hxxps://albertfinni.com/gva_template/crowdfunding-single-template/

Some sites appear in searches, but are now gone: lufix.pro, lufix.to, oluxshop.to

Domains, variatons of oluxshop.[tld] oluxshop.to (127.0.0.1)

Domains, variatons of olux.[tld] olux.to

ICQ: hxxps://icq.im/oluxshop

A now apparent dead facebook account: hxxps://www.facebook.com/groups/buywebshell/ sh3elltools.to seems somwehat related.

December 22, 2023

from Dr. Sbaitso

Why I won't buy Androids

I was talking about new phones with a friend a few days ago, and he asked about Android choices. I told him I won't buy any Androids, for a bunch of reasons. This is social media, I'm into my second boozy eggnog. I figure I'll share those reasons here too. Most of the reasons are around Google itself, and some how it's handled Android. Only one is because I'm a petty bitch with a collection of heirloom grudges.

First and foremost, Google is an advertising company with a search engine and a browser and a video hosting service and a mobile operating system all designed to keep your eyes and ears on their advertisements. For FY2022, 80% of Google's revenue came from advertising. Given the lengths I go to avoid ads everywhere else, putting a little ad machine in my pocket doesn't make much sense.

Aside: I go to extreme lengths to block ads. I have a very aggressive PiHole setup. My daily browsing is through Vivaldi (which has a built-in ad blocker) (But the new Direct Match stuff defaulting to On is pretty fuckin' shitty, Vivaldi) and also running an over-packed μBlock extension. Secondary browsing goes through Firefox with a similarly-configured μBlock. I also have a WireGuard VPN running on my iPhone so whenever I'm not on my own WiFi network I'm tunneling back in just to use my PiHole. Vivaldi on iPhone also has a built-in ad-blocker.

Besides the ad biz, I don't trust Google overall. It started with Google Reader, but Google is quick to drop the blade on the neck of any product/service/app that doesn't have a VP championing it. The other recognizable names include Google Wave, Google+, Google Fiber, and Google Stadia. What's going to be the 300th entry in the Google Graveyard? They're at 293 right now, so I expect we'll hit 300 by April 2024.

Zooming back out to the state of the internet today, I honestly think Google and Facebook are tied for doing the most damage to the internet and society at large. Their pervasive advertising is enough for me to stay far away from them. But their stains run far deeper. Google Search is now completely useless. Everything is a webpage now. I've lost count of the companies they've either acquired and killed or cloned and killed. They've built data profiles to rival Facebook. And Youtube will gleefully auto-play viewers into misogyny, conspiracy, and rightwing fascism.

On Android specifically, Google has been an exceptionally poor steward of the ecosystem. Flagship devices now get a few years of updates, but anything down-market may get a year of updates before being forgotten like the fifth child at an after-school activity. Google could enforce feature and security updates for a minimum period of time, but they've chosen not to. And it's only improved to the shameful level now somewhat recently.

And they've been spreading this fast-fashion/ewaste-speedrun philosophy to the laptop formfactor too. They're goddamned laptops, not milk. I have an Alienware M11x R1. It's from 2010. It still runs Windows 10. Poorly. But it can still get OS and security updates 13 years after release. It's a functional print server for my old Brother laser printer that I bought in ~2007 that only has a USB-B interface.

Beyond the shameful state of Android updates, the Google app store is a fraudulent mess. It's been a problem for years and it's still a problem today. It's impacted millions of users at this point. If the Google Play store is going to be the premier source of Android apps, Google needs to get a lot better at protecting users from bad actors. For devices that contain so much of our lives, failures to protect against financial theft is unacceptable.

And Google themselves are part of the problem. We're over-due for Google's next chat app shakeup. I think. And that's just Google. The phone OEMs can replace it with their own uniquely crappy SMS/RCS/Proprietary pile of crap. Going back to the problem of executive champions and vision, nowhere is than absence clearer than the absolute clusterfuck of Google chat apps.

Finally, I mentioned above that I'm a petty bitch. My family holds onto grudges like most folks hold onto fine tableware or farmland. Case in point: My grandfather got screwed over by a Shell gasoline station. He wrote to corporate to explain the situation, and found their answer... unsatisfactory. Nobody in my family has gone to a Shell station since.

My grandfather died over a decade before I was born.

But I have a very personal grudge against Google. They blamed me for something they broke, and have never to my knowledge apologized for it.

Many, many years ago I worked at a small firm. This was when Windows 7 was at its peak, and Windows XP was still very common/well-supported. We had a line-of-business app that was dependent on certain components of Internet Explorer. If you tried to access the web launcher from something other than IE, it would break in really unpleasant ways. Since some of the LOB usage was time-critical, when it broke it was a priority issue.

This was also the time Google started to spread Chrome like herpes. We weren't a big firm, and we didn't have great tools for controlling third-party applications and their updates at the time. Remember, this was almost 15 years ago. I've learned a lot since then, and the toolsets have improved a lot since then.

So folks would just push the button to update Adobe reader, next next next finish. The work we did was highly technical, and again: ~15 years ago, small business, most folks had local admin. We didn't have the tools to do a good job controlling these things. And updating an existing Adobe reader install would “helpfully” install Chrome and set it as the default browser. The LOB “app” was a shortcut on the All Users desktop that pointed to the webpage.

Google Chrome could not support the critical application. So I'd get a panicked phone call from a user because the critical LOB app was failing. I'd either walk over to their desk or RDC into their machine and uninstall Chrome. They'd go back to work, fill out the time-sensitive information, everyone was acceptably content.

Until they tried to click a link outside IE. Say, a link to something important in Outlook. Turns out, Google did a shit job coding the Chrome uninstaller, and left HTML file associations (what Windows uses under the hood to understand it needs to pass data to a browser) just... empty. And in Windows 7, that leads to a specific error message: “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.” Hey guess who the System Administrator was. Guess who everyone thought was blocking something they needed to do for work?

Eventually I got the tooling and controls in place to prevent Google Chrome from installing itself where it shouldn't (part of the user profile), and finally blocked the garbage of early Chrome from my corporate domain. It wasn't technically a virus, but it sure acted like one. It sure caused a lot more headache than any actual malware. And I still carry a grudge for the shitass job Google did when spreading their little browser-glitter all over my matte black Thinkpads.

So now my phone is built by Apple. They have plenty of different problems, but Google products are absolutely disqualified.

I really wish Microsoft hadn't given up on Windows Mobile/Phone. A third player with real marketshare would be good for everyone. And comparing the ROG Ally to the Steamdeck highlights how weak Windows is on smaller devices and interfaces that aren't keyboard & mouse. Having an ARM-based processor base would have put Microsoft in a better place to really compete with Apple's M processors. Having an XBox Mobile/Handheld/Go would be amazing. #RIPWindowsPhone

So yea. I don't trust Google for many reasons. Android itself is a mess. And I'm petty as fuck. That means an iPhone is my only option.