Don Franke

Random musings about infosec, music, writing and coding.

Assembling the Synthrotek DIY Echo Module

August 31, 2019 Music

Assembled the Synthrotek DIY Echo kit that I bought on Reverb. It had 1 resistor that was different than the instructions but seems to work find anyhow. Fun little build, looking forward to the next one as I fill my 60HP Eurorack case.

Synthrotek Echo

Moog Grandmother Demo

August 24, 2019 Music
Created a quick tune with all sounds from the Moog Grandmother monophonic synth. After creating a sound I used Logic Pro to:
  1. Record MIDI track
  2. Quantize as needed
  3. Record (bounce) audio
  4. Add effects
It's a powerful and versatile sound engine, and a great controller to boot.

Moog Demo

GIAC Penetration Tester (GPEN) Certification

August 19, 2019 Certifications

I passed the GPEN exam today!

Took the SEC560 class. It was my first in-person SANS class and I really enjoyed it, recommend it over the online class if that's an option. I took this one live because there was a SANS Pen Test event in town, and I'm hoping to take all my future SANS classes like this. Also attended the optional Day 6 CTF which brought it all together. Advice on that: make sure all teammates can easily share files over the network before you start (take nothing for granted.) I also wish I went to more after-hours NetWars events, they really help reinforce learning and you meet some great people. And there's beer.

Here's how I prepared after taking the class:
  1. Read all the books again (slides and notes) and created my own index. It's all about the index.
  2. Worked on some CTFs, which provides good practice doing things like parameter manipulation using a non transparent proxy.
  3. In the index at the back of book 6, I highlighted the best pages to use for each topic. For example: if there are 10 different pages listed for the ping command, highlight the ones that will help you most in the exam.
  4. Ran through the labs again as best I could without the classroom network environment.
  5. Took practice test #1 using a printout of my index to simulate test day. Scored well but not great. More studying.
  6. Read through all the slides (skimmed the notes) and refined my index.
  7. Read through the workbook again.
  8. Took practice exam #2 and received a score I'd be very happy with on test day. Not wanting to over study (that's a thing) I decided I was ready.
Taking the test:
  1. Got a good night's sleep, made sure I was hydrated and caffeinated and had a protein bar before the exam.
  2. Brought SANS-provided "cheat sheets" (pamphlets) with me to the test center (just call them "extra material" if the proctor asks)
  3. Regretted not checking that I brought all my books with me. I actually forgot one in the car and you're not allowed to leave the testing area once it starts. Make sure you bring all your books with you!
  4. Completed all the labs. It might be tempting to skip them because they might seem like the hardest part of the exam, but stick with them. I thought they were kind of fun, and rewarding when I solved them.
  5. Finished the 3 hour exam with maybe 10 minutes to spare...and passed!
Other recommendations (or things I wish I also did):
  • Don't forget about book 6, it also has some good study material and links. It has more than CTF info and an index. I mistakenly focused my studying on just books 1-5.
  • Listen to MP3's of class--I didn't find these until about a week before the test. They would have been good to listen to during my commute.
  • Try to recreate the classroom network and targets at home--this would have been great practice.
The test is a mental workout, but as long as you don't panic and take your time you'll do fine. Keep calm and bring your index.

Attended Black Hat and DefCon

August 7-11, 2019 Events

Attended Summer Camp for the first time. Hacker jeopardy was great, and I wish I hit more workshops, maybe next time. Also thank you to whoever shared his malort. It's so bad it's great, I think I get it now.

Infragard Journal - Vol. 2 Issue 1

July 31, 2019 Writing
Infragard

Co-edited the first issue for 2019. Not the easiest volunteer job I've done, but I look forward to help deliver the next one.

Song One

July 14, 2019 Music
Tune from a couple years ago that I updated to include my new Moog.

Song One

ISC2 certs expired today

July 1, 2019 Certifications

Not sure what to do here. I don't think I need them any more career-wise, except for those positions where they require the CISSP box checked. But is that the type of job I'd want anyway?

Cackalackycon

May 31-June 2, 2019 Events

Attended a great security conference in Chapel Hill, NC. It's where I discovered malort and kind of wish I hadn't.

GCTI Gold-Level Certification

May 1, 2019 Certifications

Earned GCTI gold level certification for working with an advisor to publish the paper Threat Intel Processing at Scale, available in the SANS Reading Room.

GIAC Cyber Threat Intelligence (GCTI) Certification

October 1, 2018 Certifications

Passed the GCTI exam.

ABI Calculator

June 17, 2018 Coding

To keep my UI skills current, I recreated an ABI Calculator app using vue.js and bootstrap. It's still a little rough but it works, at a good stopping point for now.

Passed the AWS Certified Solutions Architect - Associate exam

May 21, 2018 Certifications

I passed the AWS Certified Solutions Architect - Associate exam on 5/21 and wanted to share how I prepared:

  • Took these classes:
    • Architecting on AWS
    • Advanced Architecting on AWS
    • Security Operations on AWS
  • Watched all videos and took all practice exams on acloud.guru
  • Took all practice exams on whizlabs.com
  • Read FAQs and some white papers on core services: Lambda, S3, IAM, EC2, VPC, DynamoDB. Elasticity, Scalability
I also took a lot of notes, most of them based on questions I got wrong on practice exams. The cert exam was updated a few months ago and has a lot less gotcha questions; most are scenario based. Preparing for the cert is a great learning opportunity (some people enjoy it even), and I've started getting ready for the Sec Ops one which was released a couple months ago.

Hope this helps. Good luck!

https://www.certmetrics.com/amazon/public/badge.aspx?i=1&t=c&d=2018-05-21&ci=AWS00409377

Tell Your Story

December 21, 2017 Writing

I've reached a milestone I didn't think I'd achieve for my first self-published book: 2,500 copies sold. It was a project I started mostly to get experience with creating something that I could put on my shelf. It was also an opportunity to share what I've learned after years of teaching and working in infosec. I want to encourage anyone who has an interest in writing a book to go for it--make it your 2018 goal. Here are a few lessons learned that I'd like to share to help you get started.

Have a solid outline

I created five chapters, and grouped the list of things I wanted to cover into each of those buckets. Going with a textbook format, the first chapter I dedicated to fundamental terms that would be used in the remaining chapters, and ended each chapter with a glossary. The resulting chapters for the book are Introduction, Protect, Detect, Respond (which are based on tenets of the NIST Cybersecurity Framework) and Conclusion. Each chapter also starts with a quote.

Create a goal

Have a target number of words you want your book to have. I went with 20,000 to keep it concise. This also helped me balance out each chapter, and motivated me to keep adding content until I reached that goal. However, be aware that you need a minimum number of pages in order for the book spine to be printable (the spine for mine has no text as a result, which doesn't do much for its bookshelf presence.)

Organize your images

If your book has images, figure out the standard you're going to use ahead of time. I spent a frustrating amount of effort getting the sizing and DPI right so images would display correctly in print and ePub versions. This meant several iterations of converting 27 pictures to different formats and previewing them with various open source tools (not fun). I wish I had hand drawn them instead.

Sell it

Once it's published and available for purchase on the marketplace, don't overlook marketing your new book. Leverage social media, participate in giveaway promotions, and keep tabs on your reviews. There are also promotion options (some are free, some aren't) like having your book show up when someone searches for certain terms. And look at all the marketplaces where your book is listed. I found a few surprises (some nice, some not so much) in UK, IN and EU markets where my book is also sold.

Conclusion

Freely available tools that you can use to self-publish a book have significantly improved over the past couple of year. Now there are Word Add-ins and applications like Kindle Create where you are able to do all of your formatting and previewing within the same tool. Editing ePub XHTML is no longer needed, making the barrier to "published author status" barely a speed bump. So what are you waiting for? Start writing!

Cyber Security Basics Sales Update

November 4, 2017 Writing Security

Cyber Security BasicsFor a 100 page book I self published using Kindle Direct Publishing, sales have definitely exceeded expectations! I created it more as practice and to share what I knew about information security best practices. I still belive if the fundamentals are done, the majority of risk can be mitigated. That said, I'm now approaching 2,000 books sold (Kindle and paperback) at which point I may start work on a second edition. I had one day where I sold 110 books -- wish I knew to whom. I am guessing it was for a class, or giveaway, or maybe they're being resold somewhere else in the world.

I am also enjoying decent reviews: 11 stars in the US and 14 stars in the UK. I apprecate the kind words and feedback! It is rewarding to know that I have been able to contribute to the infosec community, and that something I spent hundreds of hours creating is being well-received by hundreds of others who share my interest in information security.

Cyber Security Basics available at Amazon

Phishing Protection Best Practices

August 22, 2017 Blog Security

Today Bank Info Security reports that a Ukraine bank warns of a new massive malware campaign about to be launched. Here’s the line that’s most frustrating: “It added that the attacks have been spreading via malicious Microsoft Word documents attached to emails.” So here are some best practices to follow to harden your org against phishing attacks:

  • Use GPO to disable macro execution in office documents
  • Don’t let employees log in as admin
  • Block unnecessary file extensions at email gateway (e.g. do people really send legit .dotm files)?
  • Use an email protection solution that analyzes and blocks malicious attachments before they are delivered to inboxes
  • Preface subject line of externally-sourced email with tag like [EXT]
  • Keep current with patching and updates
  • Train employees to “think before you click” (though don’t count on it as an effective preventative control)

Most of this advice is common sense. But if I’m just preaching to the choir, why are phishing-based attacks against orgs still so damned successful?

References

Ukraine Central Bank Detects Massive Attack Preparation: https://www.bankinfosecurity.com/ukraine-central-bank-detects-massive-attack-preparation-a-10209

List of Microsoft Office file extensions (block most of these): https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions

Alexa skill Security Flashcards

July 25, 2017 Coding Security

I created version 2 of the Alexa skill Security Flashcards. This version uses a JSON file for content (versus having it inline in the code) and has 100 security terms (so far). To use:

  1. Enable the Security Flashcards skill on your Echo device
  2. Visit https://github.com/donfranke/Security-Flashcards for a list of terms that are available.
  3. Launch Security Flashcards
  4. Pick a term, think about what you think the definition is, then ask Alexa to define the term

The goal is to provide a tool to help prepare for security certification exams, as well as understand some concepts that are part of the foundation of information security.

Please let me know if you disagree with any definitions, or have other suggestions for improvement. If you are interested in creating your own Alexa skill, there are plenty of resources available including starter code on Github to get you started. Enjoy!

Android Apps

October 10, 2016 Coding

The two Android apps I created back in 2010 still are alive and kicking. ABI Calculator currently has 563 active installs, and Russian Flashcards has 1,225 active installs.

Russian flashcards ABI Calculator

Really horrible app icons that show up in the Google Play store

I know these are insignificant numbers by most accounts, but for me it’s nice to see something I created being used by other people. And they’ve always been free (which I second guess sometimes.) I would have to completely rewrite the apps to get them updated. Maybe I’ll take some time off to do this.

Machines Training Humans

September 30, 2016 Blog

I was paying for my parking at a ticket machine the other day. As I patiently followed the sequence instructed by the machine, I thought about how machines and software are increasingly training humans. And we're just letting it happen. That same weekend I observed several headlines about Samsung Smart TV exceptional eavesdropping capability. From Samsung: "Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” This isn't new news, but it got me thinking. It is another example of how we have to change our behavior to work around devices and software. Again.

We can't live without our multi-sensor devices we still call "phones." We trust software is doing its job and enabling these cameras and microphones only at our request. We also trust that there are no back doors or malware on the device that enable these eavesdropping features without our knowledge. But it comes down to well-behaved software to not facilitate eavesdropping. The hardware is always ready.

I propose getting back to basics. There should be physically controls in place to disable these cameras and microphones. Similar to the plastic tab you pull out of a newly-purchased device to enable battery contact, or the plastic key you can yank out of a treadmill if the speed of its ad infinitum path gets too much for you. With this would be the manufacturer's certification that these keys, tabs, lens covers…whatever form they take…absolutely block or allow these sensors from being accessible by any software running on the device.

Software has gotten to be too complicated. It's time to reintroduce physical controls. For now there is electrical tape.

Unpatchable is Unusable

September 24, 2016 Blog Security

I read an interesting article pn Computerworld.com titled "Worm may create an Internet of Harmful Things." It discusses how, as our world becomes filled with Internet-connected devices, concerns over security grow. There is one quote from the article that stands out for me: "Security expert Bruce Schneier…is concerned about the broader risks to the Internet of Things. In many cases, IoT connected systems are using firmware that can be hard to patch. In fact, ‘in many cases, [it’s] unpatchable,' he said." Unpatchable.

When it comes to software security, if it cannot be updated, it should not be used.

This reminds me of an interesting (perhaps unrealistic) software development methodology called "cleanroom engineering". With this approach the focus is on preventing bugs or vulnerabilities from ever making it into production code. The SDLC is heavily weighted on all phases before actual coding begins, because (per this methodology) all you have to do is code to the design, since it should be defect free.

This approach to software development seems like an analogy for vendors who release products that cannot be updated. There three reasonings that I can see for this. The vendor

  • assumes its product is truly 100% secure, and no vulnerabilities will ever be discovered
  • hopes that significant security issues with its product will not be discovered within a reasonable (or obligatory) timeframe
  • does not offer patchable products, but offers to sell replacement products that address the security vulnerabilities found in "last year’s model."

Replacing products used in production is costly and disruptive, and I can't see the news of any unpatchable security vulnerability endearing a vendor to a customer. In our rush to Internet-ize everything, security may take a back seat again, just like the early days of the Internet or smart phones. As a result, weaknesses will be exposed that attackers the opportunity to do embarrassing, destructive or even dangerous things.

Vendors should operate under the assumption that something will not go according to plan. At some point, a security vulnerability will be discovered in a product even if the vendor did not find it pre-release. And when that vulnerability is found, the vendor should be able to fix (patch) that vulnerability ASAP. Any other approach, such as selling software products that cannot be patched, is downright irresponsible.

Cyber Security Basics

September 24, 2016 Writing Security

Finally taking the time to figure out how to properly sell the book Cyber Security Basics. I have updated the pricing and updated the Kindle version, and started paying attention to the sales dashboard. To date I’ve sold 215 copies of the physical books and 58 of the Kindle ones.

Kindle Sales for 2016

There has recently been an upward trend that I hope will continue as I dig more into the as-of-yet untapped marketing options available to self-published authors. And there are a lot! Thank you to everyone who has purchased a copy. Please review it in Amazon if you have a spare minute–it would be a huge help.

Splunk Certified

September 4, 2016 Certifications

Splunk Certified Architect BadgeIt’s official — I got my Splunk Certified Architect 6.3 badge today. It was a lot more work than I though it would be; it’s definitely not just symbolic. Six classes at about 55 hours total (not including studying) capped off by a final lab that we had 24 hours to complete (I think I took about 8 hours, the first day running well past midnight.)

The best way to learn about many technologies, I feel, is to get certified. Preparing for a certification forces you to study and learn the details and a lot of things that you might not have used before, but after learning them, may come in handy later. These classes and tests helped me understand how Splunk works and the depth of the tools and options it offers. It’s really a massive solution, and now I have a better handle on how to apply its various features for almost any type of environment.

The classes were very good as well as their instructors. The education program shows that it cares as much about the quality of their training materials and delivery as the engineers who built and support Splunk products. I always appreciated how Splunk was created and designed–it just felt like it made sense. Now that I demonstrably know a bit more, my instinct has been validated.