Understanding SSL: Part I – Introduction

One of the aspects of the Web that we (or rather I) take for granted is that “green lock thingy” on the top-left of my Google Chrome browser. If I were to click on it, while green, I get a “secure” feeling (excuse the pun) knowing that my client or browser connection is securely connected to a trusted server. This also means that my traffic to the server is encrypted and prevents a third-party from simply intercepting the traffic and “read” its contents. This encryption of network traffic is so fundamental nowadays that it’s difficult to fathom that popular sites such as Facebook did not offer secure connections when you logged in by default (hence during this time browsing Facebook on an open Wi-Fi network exposed you to potential credential theft and packet sniffers).

SSL, or Secure Socket Layer, is a general catch-all term for a secure client-to-server or server-to-server connection. Sometimes we will call a secure connection an HTTPS (Hyper Text Transfer Protocol Secure) connection. HTTPS is merely the communications protocol used for secure communication. To add more wrinkles and confusion, today’s commonly used “SSL” is actually TLS (Transport Layer Security) which is a “modern” implementation of SSL. I actually didn’t realize this until now so – again – learned something new today.

Since it’s such a commonly used technology, there are tons upon tons of resources out there. Also because there is so much information out there, it’s overwhelming. So I like this Thawte page that gives a very high-level overview of what SSL is and does. I aim to explain various SSL-related topics as simply as possible so that I can better understand all this myself.

 

PlanetBravo

6e3e645c1046654775d840adbead28bc

Ok, I said I was going to talk about SSL┬áin my next series of blog posts, but before I do that (starting next week), I wanted to briefly mention PlanetBravo. Tonight was “back-to-school” night for parents and my son’s kindergarten teacher (yes, school starts next week). Aside from talk about the usual curriculum – religion, reading, math, and a host of other topics – there was mention of a new technology-based program provided by an organization called PlanetBravo. It remains to be seen how effective their program will be as this is their first year at St. Margaret Mary, but they’ve been providing technology-based curriculum for K-8 grades in Los Angeles for close to 15 years. They will engage the kids into modern tech, including teaching them basic programming and coding for the higher grades. Seems very cool and hoping this gives the kids foundational knowledge which they’ll need far more 20+ years from now.

This should be exciting for the kids and hoping this is successful for the school this year and years to come. Getting young Catholics into technology early is what we need for the future, especially as the world becomes more embedded in a culture of tech and social media.

 

A Busy Day and SSL Certs

It has been a longer work day than usual, so no real opportunity to blog today. However, I want to note that I’ve been learning much about trusted certificates (for SSL) so for the next series of blog posts I’d like to touch on this topic extensively. There was much misunderstanding on my part and writing about this will help to solidifying my knowledge. I hope it also helps others as well.

Black Hat 2017

My company is at Black Hat USA this week (would’ve been a great learning experience to attend since I’m still very green on security, but next time), looking to promote our tech to thousands of security professionals.

Perhaps have a little fun in Vegas as well.

Now in its 20th year, the desire to know and need security will only make the conference ever more popular. Some interesting news stories to note from BH:

A Crash Course in Linux

linux-journey

Having worked in the Microsoft/C#/.NET space for almost ten years prior to my current job, I didn’t work with Linux and Bash all that much. I worked with Linux primarily as a hobby back in college. Of course, when you work in this industry, many skills can transfer over to different tech stacks. However, since my current position is primarily all about working with CentOS Linux and open-source software, I had to take a refresher before doing my interviews and supporting the platforms I’m working with.

For those who want to get their hands dirty a bit with Linux and Bash, I recommend Linux Journey. I had much prior knowledge working with Linux, so this site was more for “fine-tuning” my knowledge a bit, but if you want to gain a useful skill, this is the site to use – and it’s free! Don’t expect to be an expert overnight, but rather think of it as laying the foundation as well as gauging your interest in working with the most popular open-source platform on the planet (remember that Android is built off the Linux kernel).

It’s worth a try and it might be valuable career knowledge later on.

Understanding CybOX

Going through a transition from CMS/Commerce platforms to cyber security/big data, there are many technical aspects of security I’m still trying to grasp. One of them is is CybOX or Cyber Observable eXpression. It is a “standardized language for encoding and communicating” cyber observables. An observable, by definition, is a dynamic variable that can be measured so cyber observables are used for analysis and detection in the following domains:

  • Threat assessment & characterization (detailed attack patterns)
  • Malware characterization
  • Operational event management
  • Logging
  • Cyber situational awareness
  • Incident response
  • Indicator sharing
  • Digital forensics
  • And more…

In my work, cybOX cyber observables are used for setting conditions so that certain events will trigger “behaviors”that will alert analysts of potential threats in their network. There is, however, much more complexity and flexibility than how I’ve described it, but that is the gist of it. Reading only the CybOX about page is a bit difficult to digest on its own.

Those familiar with XML will immediately understand the schema of CybOX observables. Here is one simple example for detecting file patterns via regex:

<?xml version="1.0" encoding="UTF-8"?>
<cybox:Observables xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:cybox="http://docs.oasis-open.org/cti/ns/cybox/core-2"
    xmlns:cyboxCommon="http://docs.oasis-open.org/cti/ns/cybox/common-2"
    xmlns:FileObj="http://docs.oasis-open.org/cti/ns/cybox/objects/file-2"
    xmlns:example="http://example.com/"
    xsi:schemaLocation="
    http://docs.oasis-open.org/cti/ns/cybox/core-2 ../core.xsd
    http://docs.oasis-open.org/cti/ns/cybox/objects/file-2 ../objects/File_Object.xsd"
    cybox_major_version="2" cybox_minor_version="1" cybox_update_version="1">
    <cybox:Observable id="example:Observable-9769042a-294d-4f2c-963b-579702df0472">
        <cybox:Description>
            This observables specifies a pattern for a file with a file name that fits a certain pattern.
            The file name starts with &apos;bad_file&apos;, ends with &apos;.exe&apos;, and has
            between two and five numbers in it.
        </cybox:Description>
        <cybox:Object id="example:Object-dae8802e-b0df-4989-9ac3-d816b153842b">
            <cybox:Properties xsi:type="FileObj:FileObjectType">
                <FileObj:File_Name pattern_type="Regex">bad_file[0-9]{2,5}\.exe</FileObj:File_Name>
            </cybox:Properties>
        </cybox:Object>
    </cybox:Observable>
</cybox:Observables>

So a dev could use this schema for whatever purpose in his application, such as generate an alert if some process generates this file pattern.

I’m still trying to wrap my head around the depth and numerous use cases for cyber observables, but from my understanding this is a good place to start if you want to get a better understanding what cyber security analysts are using and relying on, especially when security has become much more important for many large and enterprise-level companies and organizations.

July 4th Week Break

I hope everyone had a celebratory and fun Fourth! Taking a break this week, so here are some links of interest for “summer reading”:

https://www.darkreading.com/mobile/copycat-malware-infects-14-million-android-devices/d/d-id/1329286

https://www.darkreading.com/perimeter/hacking-the-state-of-the-isis-cyber-caliphate-/d/d-id/1329293

https://www.bleepingcomputer.com/news/security/man-who-hacked-kremlin-elites-gets-two-years-in-prison/

https://www.macrumors.com/2017/07/06/apple-bug-bounties-dont-pay-enough/

https://mspoweruser.com/microsoft-cutting-3000-jobs-part-major-reorganization/