All posts by Kyle Bubp

Installing Spotify on Fedora 24

I’ve recently been using Spotify on PS4 and wanted to get it on my desktop. Unfortunately, the official instructions from Spotify are for Ubuntu and other Debian-based distros.

Thankfully, there’s a way around all of that using rpmfusion. Below are the commands you will need to run in order to get it installed.

$ sudo dnf install --nogpgcheck$(rpm -E %fedora).noarch.rpm$(rpm -E %fedora).noarch.rpm
$ sudo dnf install lpf-spotify-client
$ lpf update

Installing Pi-Hole on Fedora 24

A few months ago I decided to move away from Windows 10 and go back to a Linux-based desktop. I chose Fedora 24, based on my Red Hat experience. Regardless, I’ve been wanting to install Pi-Hole for a while and finally got around to it. There are a couple caveats, but overall, it’s a pretty seamless install.

First, ensure that you are completely up to date before you begin:

$: sudo dnf update -y

Once you are all up to date, simply open a terminal and run the following command:

$: curl -L | bash

Pi-Hole will run through the script and tell you everything is groovy, but that’s not actually the case on Fedora. There are a couple things you need to do.

Step 1: Symlink the pihole binary to /usr/sbin/pihole:

# ln -s /usr/local/bin/pihole /usr/sbin/pihole

Step 2 (only if you were previously DHCP):

Remove duplicate ONBOOT setting in network script. The Pi-Hole installer attempts to make your IP Configuration static if it wasn’t already. This will leave you with two ONBOOT settings. Leave ONBOOT=none and remove the others.

Step 3: Update your lists:

$: sudo /opt/pihole/

Now, you can log in to your router and point the DNS servers to your Pi-Hole box. In my case, Pi-Hole is running on my desktop @ Therefore, I logged into my router and set the DNS server to


Now, all of the traffic on my network will be protected from ads, removing the need to install an ad-blocker on every browser/device. I’m also shielded from ads on devices that can’t install ad-blockers, such as my PS4.

I hope this was informative and helps someone out there who had the same issue I had.

Thus far, I’ve only been using it for 10 minutes and already 2% of my traffic has been blocked due to ads. Hallelujah!



Phish Food: Chumming the Waters on Social Media

Most of us are willing to help others in times of need. We want to trust in others to do the same and generally want to see the best for others. Perhaps the innate desire to trust in and help others is an evolutionary trait humans developed to help us survive, or perhaps we do it simply because of our internal convictions. Either way, more often than not, we want to help others when asked. This is precisely why social engineering attacks are extremely successful methods of infiltrating companies. Whether it’s a phone call to the front desk of an organization trying to get information about those who work there, or an email with an attachment claiming to be an unread fax, most of us let our trust get the best of us which could end up costing the company.

One of the most famous and successful hackers, Kevin Mitnick, relied on social engineering to carry out the majority his hacks. To this day, many hackers are able to gain access to networks and sensitive information utilizing very similar techniques. In fact, many penetration testers will tell you that the easiest way into a network is to simply ask for credentials. This can be in the form of a phishing email, phony website, or, in my experience, even a spoofed phone call from a ‘help desk’ employee.

Before social media, it was sometimes quite difficult to gather enough information about a target to craft a convincing phising campaign. However, with the advent of Facebook, LinkedIn, and the multitude of other social media sites, it is now much easier (no more dumpster diving!). Typically, an attacker will utilize Open Source Intelligence (OSINT) tools to profile an organization. These tools use multiple techniques to scour the Internet for any information pertaining to the target individual and organization. Because many of us today are so apt to share everything on social media, and because these OSINT tools are free and easy to use, the profiling process is much quicker and yields a lot of valuable data.

After an attacker has gathered information about their target, they craft a convincing phishing email. Perhaps the email is spoofed to look like it’s coming from the CEO of the company, asking for their password to be sent to them because they are out of the office and it’s extremely urgent. Or, perhaps the attacker has stood up a website that looks like the victim’s webmail access portal. The attacker then convinces the victim that it’s an “upgraded portal with more functionality” and the victim has been “specially selected out of a handful of people to help test it.” No matter the vector of the attack, the end goal is the same: steal credentials.

Let’s stop making it easy for attackers and start utilizing the same tools the hackers use to get a better idea of what’s out there. First and foremost, if at all possible, do not share any information about the organization you work for on social media (this includes LinkedIn). Also, try to avoid listing your corporate email address anywhere on the internet. Go through each of your social media profiles and beef up the privacy settings to ensure that none of your details are available publicly. Then, Google yourself. See what comes up. Many times you will find data that may have been published years ago that you simply forgot about, just make sure to go back and clean it up. Finally, after you feel that you have sufficiently erased yourself from the Internet, run some OSINT tools on yourself and your organization. The three tools that I like to use are Maltego, FOCA Pro, and Shodan.

While social media is a great tool to keep us connected in both our personal and professional lives, it can also be a tool used by attackers if your privacy settings are configured properly. Let’s stop chumming the waters for phishing campaigns and be more cognizant of what we are sharing online. By over-sharing, we are putting both our personal and corporate assets at risk.

Who Watches the Watchmen?

In the healthcare industry, those practicing in the field must take the Hippocratic oath and swear to uphold specific ethical standards. This standard helps promote the idea of “do no harm” and healthcare practitioners take this oath very seriously. But what about the Information Technology industry? How do we ensure that those we give ultimate power to in our organizations are not abusing their power and are acting in the best interest of the company?

There is nothing similar to the Hippocratic oath for systems administrators, network engineers, or security analysts. Although we would like to hope that throughout our interview processes and background checks, we are hiring morally upstanding folks, there really is no overall ethical oath that professionals in Information Technology subscribe to. The majority of us will respect ourselves enough to hold high ethical standards, but there is also a minority of those who won’t. So, how can we ensure that our employees are not abusing their access?

You may argue that you have logs, you have a SIEM, if anything were to happen, you could pour through your logs and build a forensic timeline to answer the who, what, when, where, and how. However, this is after the fact, after the damage has already been done. Wouldn’t it make more sense to put safeguards in place to prevent the damages from occurring in the first place?

Think of it in terms of your primary bank. You have both your checking and savings accounts in there. Maybe you have some CDs, a HELOC, and a mortgage with them as well. Would you be comfortable if any of the tellers could simply walk into the vault by themselves with no surveillance and no safeguards and do whatever they like under the presumption of trust? Would it be acceptable for the same teller to be able to modify your account information on your mortgage, HELOC, etc. without a second set of eyes and an approval process? I would hope your answer is a resounding “No.”

Thus, we need to start putting surveillance, approval processes, and alerting around our privileged access in our environments. Think about how many individuals in your environment have some type of elevated access. This is not only in the scope of your Domain Administrators, but also the DBAs in your environment that have access to the databases that hold your company’s most sensitive records. How do you know that none of the folks you’ve hired, and trust with your data, are not abusing their power? Especially when the same individual that could access that “Finance” directory on your file share can, at the same time, disable logging and remove all evidence of any nefarious activity?

Here’s an example of how abuse of privileged access could play out: ACME, Inc. just hired a brand new Systems Administrator and, as part of the onboarding process for that team, the new-hire has been given a secondary account with domain admin privileges. ACME has a SIEM, and all of their servers have agents on them to forward logs to the SIEM. One night, after a long troubleshooting session, the new hire feels under appreciated and wants to know the salaries of other employees at ACME. Knowing full well about the SIEM, they first stop the services of the log forwarding agents on the file servers and domain controllers. They then grant themselves access to the directory in which the salary data is stored and make a local copy to a USB. They then delete all logs on the fileserver(s) and domain controllers for the timeframe in which he was snooping. Finally, they enable the agents again and walk out the door with a USB full of ACME’s salary data. Honestly, are your SIEM administrators going to notice that the next day? More than likely not.

Imagine the same scenario, but with a Privileged Access Management (PAM) solution in place. The new Systems Administrator has no idea what their password is to their domain admin account, and they must check it out prior to escalating privileges. Once checked out, anything the Systems Administrator does with their RDP/SSH session is recorded and stored in an encrypted format. That alone would deter most from continuing with the efforts of scraping salary data; however, if one were feeling foolhardy and decided to continue, the session recording would have full evidence of everything they did. To take it a step further, one could even configure the PAM solution to require an approval for checkout. Thus, management would get a request for escalation of privilege and must approve before the new Systems Administrator can move forward. These policies would go a long way to deter privilege abuse, and the session recording features are just another tool in your forensics arsenal.

Think about how many admins you have in your organization who at any time could carry out the first scenario I described without any types of checks and balances. Is your corporate data and reputation something you are willing to risk on hopes that everyone will always be happy and always do right by the company? To take that a step further, do you trust the contractors and vendors that come in for one-time installs enough to not control and monitor their activity? It comes down to due diligence, and in the realm of privileged accounts, we need to control, verify, and monitor access to those accounts. Otherwise, at any moment, one of your employees could be wreaking havoc, planting logic bombs, or stealing sensitive company information, and you wouldn’t know until the damage has already been done.

You Can’t Secure What You Don’t Know About

Do you know how many assets are on your network right now? I’m talking exactly how many, without a shadow of a doubt. Don’t feel bad if you can’t answer this with a confident “of course I can!” If you can’t, you are in the (unfortunate) majority. Although at first glance, you might think “of course I can answer that, my agent-based software-updating software tells me I have 2,000 workstations and 1,000 servers” or “of course I can answer that, there are 3,457 computer objects in Active Directory” but in reality, it’s not that easy.
The unfortunate truth is that many organizations have no idea how many devices are on their network, or what individuals are doing on those devices. For example, how many organizations disable all open ports throughout their building and only enable them upon request? Furthermore, out of those who answer “yes, I do that” to the previous question, how many are securing existing ports in use to automatically disable if it detects a different MAC address on that port? If these safeguards are not implemented on physical network ports, any visitor (or employee) can connect whatever network device they want. Think of all the open physical wall jacks in your building, if they are all hot, all of those ports are ways folks can start infiltrating your network.
I’ve personally seen an employee plug up a Linksys router on an open port in a conference room because they wanted WiFi for their phone. Think about that, a completely open access point directly plugged in to your internal network. The only way it was discovered was an access point/WiFi reconnaissance scan conducted by the security team. Who knows how long it had been on the network, who had connected to it, or what those individuals did while on the network. So, with all that said, are you really comfortable relying on Active Directory or your agent-based A/V or agent-based patching solution to tell you what’s on your network?
You cannot secure what you do not know about, thus, finding the unknowns in your network and maintaining a complete asset inventory is the first step in building a secure network. A great way to start identifying what is in your network is by conducting asset discovery scans. Typically, asset discovery is bundled in with vulnerability scanning that is conducted during hours of low network activity. By scanning daily, and alerting on any new assets that appear on your network segments, you can ensure that you are not only building a list of known assets, but also discovering any unknowns that may be on your network. By taking this first step of discovery of both assets and the vulnerabilities on those assets, you are building the foundation for a secure network.

Malware and How to Deal with It

The information security landscape is evolving daily and it seems like there are just as many products out there as there are exploits. For example, there are intrusion detection systems (IDS), intrusion prevention systems (IPS), file integrity monitoring (FIM), data loss prevention (DLP), next-generation firewalls, anti-virus, anti-malware, email gateways, honeypots, and even products that use artificial intelligence and behavioral analytics to find threats on your networks.

With all the potential solutions out there, it’s easy to get overwhelmed when all you really want to do is protect your network and ensure maximum availability. I’ve seen many approaches to securing a network, from the easy-but-extreme example of air-gapping a network, to going overboard and purchasing as many security products as possible. In security, as with anything, you must strike a comfortable balance between securing your network and not interrupting your users’ workflow while still balancing budgetary concerns and time constraints.

I saw a need for someone in security to strike that balance, cut through the FUD (Fear, Uncertainty, and Doubt), which is why I submitted my article “Malware and How to Deal With It” to the ISSA journal. It was selected for publication for the Journal’s July 2015 issue as well as one of the four best articles of 2015 for the December issue. I hope you enjoy reading it as much as I enjoyed writing it.


A Month with Project Fi


I’ve been using the Google Nexus devices since the launch of the Galaxy Nexus. I’ve just found them to be exactly what I need, without the bloatware that other manufacturers install, and at a great price point. I recently purchased a Nexus 6p, as my Nexus 5 was feeling a little dated. With the purchase, I decided to try out Google’s new cellular service: Project Fi.

Prior to the switch, I had been using T-Mobile’s $30/mo plan that included unlimited data and texts, and 100 minutes of talk time. When I initially switched to T-Mobile about 2 years ago, the service was lacking in rural areas, but over the past year their coverage had vastly improved. The 100 minute limitation was beginning to be a problem, however, as I transitioned from working in an office to being 100% remote. This is what led me to give Project Fi a look.

With Project Fi, you get unlimited minutes and texts and pay $1/100MB. Their cheapest plan is $30 and gives you 1GB of data. Plans go up $10/GB from there. Additionally, if you don’t use the data that you pay for, they will refund you what you didn’t use.

My first issue with Project Fi is that it does not work with Google Apps accounts. My main Google account is a Google Apps account, so this is a slight annoyance in that now I have to have two accounts tied to my phone. However, this is minor. Signing up was a breeze, and within a couple days I had my SIM card. The initial activation is also very simple, the Project Fi app walks you through it and you should be up within 5 minutes with little to no interaction needed.

Project Fi does an excellent job of trying to send all data through a Wi-Fi connection. Since I work remotely, I’m almost always on Wi-Fi, so I don’t use that much cellular data at all. However, even when out and about, if your phone is near an open hotspot that Google deems “trusted”, it will automatically connect as well as fire up a VPN connection to keep your data secure while on the public Wi-Fi. This all happens seamlessly without any user interaction needed.

Halfway through the month, I installed an app called “Fi Spy” that allows you to not only see which network you are on (Sprint or T-Mobile), it also allows you to switch at any time by inputting a carrier code into your dialer. Now, Project Fi will do this automatically from time to time to ensure you get the best service, but I like having the ability to see which network I’m on, as well as switch manually if need be. I will say that the T-Mobile network is much faster than the Sprint network. I also had issues sending MMS messages when connected to the Sprint network.

At the end of the month, using the 1GB plan, Google actually owed me a refund for .27GB unused of my 1GB allotment. This resulted in a $2.70 refund. The Project Fi app will allow you to track your cellular data usage throughout the billing cycle. I’ve gotta say that I did my best to stay under that 1GB mark the first month, and it paid off (literally). This month, however, I’m going to be over.


Overall, I’ve been very pleased with the service and support. I have no reason to go back to T-Mobile, nor switch to any other carrier at this time. If you have a Nexus device, I definitely recommend Project Fi.


Installing and Configuring OSSIM 5.0

Coming from a Linux background, and being in InfoSec, I always try to stay on top of the Open Source Community’s offerings to our space. I have installed/managed AlienVault in the past, but I haven’t used it in a few years and wanted to see just what I could come up with on my home network. If you wanna follow along, by all means:

  1. Download the latest version of OSSIM here:
    1. For the paranoid, get the MD5 sum here and make sure it matches!:
    2. In my scenario, the MD5 Checksum is 80d915f3dfb5aedab31b5981efff582f. If you are using Linux, it’s easy to determine the MD5 checksum of the file. Just open a terminal and use the md5sum command. If you are on Windows and have PowerShell 4, execute Get-FileHash <file> -Algorithm MD5. On < 4, run an obnoxious script.
  2. Fire up your VM software of choice (VMware Workstation, VirtualBox, Hyper-V) and build yourself a VM with the aforementioned .iso. Truth be told, an appliance like this is best installed on physical hardware, but if you just wanna check it out, using a VM is fine.
  3. Install OSSIM
    1. 2015-05-02 19_52_57-OSSIM - VMware Workstation
  4. Give yourself an IP (preferably outside of the DHCP range of your router).
    1. 2015-05-02 19_56_18-OSSIM - VMware Workstation
  5. Create a nice password.
    1. 2015-05-02 19_57_19-OSSIM - VMware Workstation
  6. Let ‘er eat.
    1. 2015-05-02 19_59_45-OSSIM - VMware Workstation
  7. And we’re done! Navigate to the web console, just like it tells ya’ to!
    1. 2015-05-02 20_07_49-OSSIM - VMware Workstation
  8. Fill out some basic info to get started.
    1. 2015-05-02 20_09_29-AlienVault OSSIM [alienvault -]
  9. That’s it for now. You’ll get prompted for a wizard which you should follow if you’re new to all this. I’ll keep you updated as I work through it and apply more of the features to my home network.
    1. 2015-05-02 20_12_24-AlienVault OSSIM
  10. This is super cool. Automatically deploy HIDS to your hosts!
    1. 2015-05-02 20_18_18-AlienVault OSSIM
  11. And automatically load log management plugins based on OS and vendor of network components.
    1. 2015-05-02 20_22_11-AlienVault OSSIM

How to Update Tripod

My wife is a brilliant photographer and uses the Tripod WordPress theme to run her site. The issue is that their documentation is kind of lacking, so I figured I would document the process in hopes to help others.

It’s actually pretty simple, it’s just not mentioned in their documentation as “Update”.

  1. Make a backup! SFTP to your server and copy down your entire directory to your local machine. You will also want to login to your phpMyAdmin to make a backup of your database.
  2. Update your WordPress to the latest version.
  3. Optional: Install Maintenance Mode plugin and set your site in maintenance mode.
  4. Download the latest version of the theme from envatomarket/ If you download the full version + documentation. It will come a .zip. Unzip it.
  5. SFTP to your site and delete the tripod theme ( ../../../wp-content/themes/tripod)
  6. Go to Appearance > Themes > Add New > Upload Theme > Choose File and choose the File named and click Install Now.
  7. Activate theme and make sure everything looks good.
  8. Optional: Disable Maintenance Mode.

Hopefully this helps you out. If you need assistance, just comment and I’ll do my best to answer your questions.