All posts by alex

Serverless Hot Water

In another post in the series “that’s niche even for you” this is how to get an alert about the performance of solar hot water production with the MyEnergi Eddi diverter.

We have an unvented hot water cylinder which like many British homes is connected to a gas boiler, which heats the water with a big coil inside the cylinder. Our cylinder also has an electric immersion heater which would not ordinarily be used but is there as a backup I guess.

Except now it is. We also have solar PV which is where the Eddi diverter comes in. It tracks house usage and if the PV is generating more than the house is consuming it switches on the electric hot water immersion heater. It’s slightly smarter than that, but anyway.

For us we need to put in about 6kWh of energy (gas or electric) a day, which in the summer is no problemo, but as the days shorten we need to start thinking of supplementing it with gas. The MyEnergi app is fine but checking it becomes a chore, so we need a way to send an alert if we didn’t make enough hot water today.

Onto the idiocy: this is all driven from AWS Lambda, and invoked on a schedule by an Eventbridge rule. SES is used to send the mail so make sure to validate both the sender and recipient first (and update any SPF rules).

Create a Python 3.7 function – 3.7 still has the requests library which handles the Digest authentication method that MyEnergi inexplicably uses.

from botocore.vendored import requests
import json
import urllib
import boto3
import time
from botocore.exceptions import ClientError



def send_notification(kwh):
	print("Not enough hot water")
	
	# Replace sender@example.com with your "From" address.
	# This address must be verified with Amazon SES.
	SENDER = "AWS Automation <email@address>"

	# Replace recipient@example.com with a "To" address. If your account 
	# is still in the sandbox, this address must be verified.
	RECIPIENT = "email@address"

	# If necessary, replace with the AWS Region you're using for Amazon SES.
	AWS_REGION = "eu-west-1"

	# The subject line for the email.
	SUBJECT = "Check the hot water"
	
	plaintext = 'Only {} kWh hot water made today\r\n'.format(kwh)
	htmltext = '<html><head></head><body><h1>Only {} kWh hot water made today</h1></body></html>'.format(kwh)
	
	# The email body for recipients with non-HTML email clients.
	BODY_TEXT = plaintext
			
	# The HTML body of the email.
	BODY_HTML = htmltext          

	# The character encoding for the email.
	CHARSET = "UTF-8"

	# Create a new SES resource and specify a region.
	client = boto3.client('ses',region_name=AWS_REGION)

	# Try to send the email.
	try:
		#Provide the contents of the email.
		response = client.send_email(
			Destination={
				'ToAddresses': [
					RECIPIENT,
				],
			},
			Message={
				'Body': {
					'Html': {
						'Charset': CHARSET,
						'Data': BODY_HTML,
					},
					'Text': {
						'Charset': CHARSET,
						'Data': BODY_TEXT,
					},
				},
				'Subject': {
					'Charset': CHARSET,
					'Data': SUBJECT,
				},
			},
			Source=SENDER,

		)
	# Display an error if something goes wrong.	
	except ClientError as e:
		print(e.response['Error']['Message'])
	else:
		print("Email sent! Message ID:"),
		print(response['MessageId'])



def lambda_handler(event, context):

    from requests.auth import HTTPDigestAuth
    #The username is your Hub ID, the password is your API key
    auth = HTTPDigestAuth('12345', 'APIkey')
    
    #Replace the Exxxxxx value with the serial of your Eddi. I think you are supposed to dynamically fetch the server name from director but YOLO

    results = requests.get('https://s18.myenergi.net/cgi-jstatus-Exxxxxx', auth=auth)
    
    parsed = json.loads(results.text)
    
    hot_water_kwh = parsed["eddi"][0]["che"]
    
    if hot_water_kwh < 6:
    	send_notification(hot_water_kwh)




1 Click IoT Buttons And Laundry

So, I have a “typical” problem, in that I forget when the washing cycle is supposed to end, leading to clothes sitting in the machine for some amount of time.

I’ve tried setting reminders on my phone but I’m not always 100% at remembering to do that either, especially if there’s multiple batches or a washer and a dryer cycle running.

I should note that these are “dumb” machines, which are unlike current models which send you a ping to your phone when they’re done (which actually seems like a sensible idea for IoT / embedded systems in consumer devices).

I wondered whether I could come up with some really automated way of doing this like:

  • Monitoring the power consumption (through a connected load monitor) which looks for a spike then zero for a period.
  • Sticking vibration monitors to the side.

But I couldn’t figure out something that was really reliable (didn’t suffer from false positives like someone walking past) or didn’t need a bunch of processing power running on a brittle VM at home.

The answer then is to go all out on a crazy serverless architecture in AWS using 1 Click IoT buttons.

The idea is that you can mash the button stuck to the washer or dryer as you start the program, then based on the normal program you use (let’s face it, it’s always the same) you can get a notification a set amount of time later.

The AWS IoT buttons are no longer directly available but you can get them off eBay for £10 each or so – they’re basically the same as the Dash buttons used to be but unbranded.

The buttons can be programmed using Bluetooth, via a phone app, to connect to your wifi and then directly send an email. Unfortunately this won’t do for our needs as we need to send that mail an hour later. Luckily the buttons can trigger a Lambda function of our choosing – great!

But not so fast – Lambda functions can only run for a short time, and all the while they’re running, they incur costs, so it’s not just a matter of putting in a sleep(). What we need to do then is the following:

  1. Button press triggers Lambda function
  2. Lambda invokes a Step Function with a pause
  3. Step Function triggers another Lambda function, which calls:
  4. An SNS notification
  5. People are subscribed to the SNS Topic, and get an email, SMS or push notification

Want to setup this idiocy yourself?

Start by creating a templated Step Function. This will use Cloud Formation to create the Step, SNS Queue, IAM role, and Lamba function for you. You’re looking for the “Wait state” template:

Now go into Lamba and create a function called “washer” with the following Python 3.x snippet:

from __future__ import print_function

import json
import urllib
import boto3
import time

print('Starting washer notification with 60 minute delay')


def lambda_handler(event, context):

    # Edit the message and timer duration below as needed
    
    data = {
  "topic": "arn:aws:sns:eu-west-1:xxxxxxx",
  "message": "Washer Done",
  "timer_seconds": 3600
}

    json_string = json.dumps(data)
    
    client = boto3.client('stepfunctions')
    response = client.start_execution(
        stateMachineArn='arn:aws:states:eu-west-1:xxxxx',
        name=context.aws_request_id,
        input=json_string
    )
    

    return ('Triggered step function')

You will need to edit the SNS topic and the state machine ARNs that cloud formation created for you, which you can find within the SNS and State Function areas of the console, e.g:

You will then need to go into the IAM console and give the cloud formation-created IAM role the ability to access Step Functions (probably not full access, but as there’s only me in this account I don’t think it matters):

You lastly need to go into 1 Click, and create a template for button clicks that call your “washer” lambda function, and then provision the buttons into your account via the iOS/Android mobile apps:

I then use Pushover to take an email generated as an output from the SNS Topic to turn that into a mobile alert, but an email or SMS is equally doable.

And there you have it, a stupidly over engineered solution for telling you when your laundry is done, ish.

As for costs: Lambda and Step Functions have a free tier and you’re unlikely to go over those limits with this little project.
Buttons have a 25 cent a month charge.
SNS has no charge for emails or SMS within the US, ~£0.02 per text otherwise.

Partial Passwords

Partial, or masked, passwords is an authentication scheme where you’re asked to select or enter only specific characters from your password at a login screen – eg the 3rd, 5th and 7th characters:

This got me thinking – normally passwords are stored on the server in an irreversible hashed format (there are many schemes, like bcrypt) which protects you in case the passwords are all dumped out in an attack. But in the case of partial passwords, is there a scheme that still preserves this protection? It seemed unlikely – a hash cannot reveal individual characters of a password; all information is destroyed in the process of hashing if it is truly a one-way function.

https://twitter.com/alexlomas/status/990137408472670209

The whole password would need to be stored in a recoverable form for individual characters to be compared. Does this imply plain text storage somewhere though? Not necessarily: the whole password can be stored encrypted in, say, a HSM. These individual characters can be presented to this black box which gives a yes/no answer back. Does this increase the risk that decrypted passwords could be extracted? Yes, because HSMs are not invulnerable, and if you don’t use a HSM, you’d better hope you have an excellent cryptographer on staff, maybe one that knows about Shamir’s Secret Sharing.

OK, so, there are some risks with password storage, most of which we can avoid by properly hashing, but if we do store passwords with reversible encryption (or not at all) is the trade-off worth it?

The threat model would appear to be one of shoulder-surfing or keylogging. If I can observe you entering your banking password in full, I need only capture it once, but if I ask for only 3 characters at a time, it will take me longer. But how much longer?

My lovely husband has written me some R to simulate this and you can have a tweak of some of the parameters below, but basically for an 8 character password with 3 characters asked for at random it takes about 6 times for an attacker to observe you before they have the full password.

Poorly implemented partial password schemes have additional flaws:

  1. By reducing a long password down to three choices, I’ve suddenly made it a lot easier to guess. An eight character alphanumeric password with mixed case gives 2^14 combinations, but many partial password schemes ignore case (it’s hard to scroll down that far for customers) so this is only 36^3 (~46,000) combinations which is quickly and trivially run through.
    As a result, partial password schemes must be paired with a strong lockout system.
  2. If the partial password selection is chosen at random at each refresh of the page, I can simply keep on asking for another sample until I get the ones I know.
    Schemes must remember the required set for that “session” until the user successfully logs in and the selection is changed to another.

But in practice, many types of banking malware will simply modify the look of your bank’s login page in the browser to change the field to ask for the full password, send that to the crooks, who can then complete the “legitimate” three-out-of-eight challenge anyway.

All of this also actively discriminates against users of password managers – browser plugins that generate, store, and autofill long and random passwords for each site. If I have a 20 character password, I’m going to need to view it in plain text then manually count through each letter, number and interrobang to complete the challenge, thus displaying it for all to see and defeating the objective anyway. Password managers are actively encouraged by any sane and sensible security professional.

Once upon a time when keylogging and screenlogging malware was naïve this might have been a valid defensive measure, but the bad people quickly adapt and this is now an out of date and potentially risky approach to handling passwords.

What can we do then? Multi-factor authentication.

Thoughts on the CREST CRT

Continuing my thoughts on exams series (see CISSP & CPSA) here are some notes on the CREST CRT. These are notes to help you prep, they are not the answers – CREST have a robust NDA and I have no intention of breaking it!

Pre-Reqs

You will need to have sat and passed the CPSA MCQ at a Pearson Vue test centre first. You book this direct with Pearson Vue  using a credit card.

Once that’s done, book the CRT direct with CREST by filling out the form at https://www.crest-approved.org/wp-content/uploads/UK-Exam-Booking-Form.pdf and emailing it to them. Nominate a month you want to do the exam and CREST will come back to you with some dates and morning/afternoon session availability.

You’ll need to travel to Slough – the test centre is 5 minutes’ walk from the station. Although there are several car parks, I really struggled to find spaces so the train might be your best bet, especially if you have a long drive.

CREST were really helpful and friendly during the booking process so don’t be shy about dropping them a line if you have any questions.

Your laptop

You’ll need to take in your own laptop but remember that CREST will want to wipe the hard drive on it afterwards. They didn’t seem too concerned about the swish M2 SSD I had in mine, but if your drive is non-standard, drop them a line. Either clone your existing drive or build fresh onto a new disk as they’ll be hanging onto the one in the machine for a few days and you’ll be without a working machine otherwise.

Kali should get you through the majority of the test, but you’ll need a vulnerability scanner too so license up a copy of Nessus or OpenVAS. Similarly a web proxy tool like Burp will be helpful for the webby bits. If you’re sitting this exam then these will all be tools you use daily anyway. Maybe.

Make sure you’re comfortable with configuring networking on your laptop and any VMs you have. I’d recommend bridging, not NATing, if you have VMs though. You can take in a subnet crib sheet to help, or install ipcalc. As the candidate notes point out, there are 10 marks up for grabs just for getting connected.

Read through the syllabus and write down the relevant tools and switches you’ll need for each section – some of them don’t come as standard on Kali and you’ll need to install.

General strategy

Time will run away from you, even if it doesn’t usually in these kinds of tests. Be organised! It’s an open book exam so take in tool notes and crib sheets, you do not want to be scrabbling around trying to figure out the syntax for things. I found https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/ to be really helpful, so save a copy of that offline somewhere.

The test network is not internet-connected, although there is a machine in the corner of the room that you can use to Google, but frankly, if you’ve gone there then move on as it’s just a time suck.

Read through the question paper first. It’s a series of MCQs, but some questions are weighted more than others, so plan your time so that you don’t miss out on some of these more valuable ones. It’s not negatively-marked, so if you get to the last 5 minutes then just guess, don’t leave answers blank.

None of this is anything the invigilators won’t tell you at the start!

Good luck!

BLE Security

It has been an interesting week.

I’ve been working at PTP for a few months now, and one of my first pieces of research has been on IoT, er, “intimate wearables”. Well, you can read it, including the snappy vulnerability name we came up with (all the best do): https://www.pentestpartners.com/security-blog/screwdriving-locating-and-exploiting-smart-adult-toys/

After that it’s been picked up by a fair few outlets, including:

There was also a lively twitter discussion from my friend Ben Goldacre which ended up involving an MP:

Which resulted in this article in The Guardian: https://www.theguardian.com/commentisfree/2017/oct/06/drive-by-sex-toy-hacking-wake-up-call-britain-internet-security-vibrators

Which I think neatly brings us back round to why I/we did the research in the first place. Yes, the headline is catchy, but it’s to highlight that although BLE has “short” range (anything up to several hundred meters which may not be what you’d think as short) it often has shockingly implemented security that can have real world physical damage.

Many commenters pointed out that unsolicited activation of, er, the “intimate wearables” might be a feature and not a bug. I’d agree, if you knew that’s what you were getting into – consent is sexy!

We’re doing some more work on the range soon, as well as some additional vulnerability disclosures on these products – watch out for those.

Update: do you use the Lovense “Body Chat” app to, er, chat? Your messages and other info are probably not as secure as you think they are.

Update 2: I did an interview with Claire Lampen for Gizmodo, exploring the legal aspects of this too: https://gizmodo.com/if-your-vibrator-is-hacked-is-it-a-sex-crime-1820007951

Thoughts on the CREST CPSA

I’ve just sat my CPSA in preparation for $newjob.

The CPSA is part of a UK government qualifications track administered by CREST for accrediting ethical security testers and their companies. You can find a fairly barebones syllabus online along with some suggested reading material.

The CPSA changed radically a couple of years back, in that it used to be open book and packaged with a practical component, the CRT. It’s now closed book, separate from the CRT (and indeed, a prerequisite for sitting the CRT) and administered in Pearson test centres in MCQ format. The only other discussion of the CPSA I’ve found is from before this change.

The exam content is under NDA and of course, the question bank will give different content to each candidate, so this discussion isn’t going to give much away. However, although I’ve worked in security for the last five years (and IT in general for twenty) I went into the exam feeling the least confident I’ve ever felt. I’d read the syllabus and most of the reading list and still really had no idea about the content or question style.

So, here’s my advice:

  • Read the syllabus thoroughly. Note that some points aren’t examinable in the CPSA but are for the CRT and vice versa.
  • If you’re actively working in pen testing and have a background in general IT, or better still, have a CISSP or GSEC then you’ll be good with just a bit of general reading up.
  • Read the question and answers thoroughly, obviously!

Good luck!

Data mangling the Piccadilly Line

TfL have been nice enough to release a data set showing how busy trains are – the train loading.

They use a 6 point scale to measure the busy-ness:

Scale Definition Actual measure on train
1 Very quiet zero to all seats taken
2 Quiet 0 to 2 customer per m2
3 Fairly busy 2 to 3 customers per m2
4 Busy 3 to 4 customers per m2
5 Very busy 4 to 5 customers per m2
6 Exceptionally busy > 5 customers per m2

As I live in West London and work in Central London I’m interested in morning eastbound and evening westbound travel.

So, bad luck if you want to get on a train at South Ealing towards Acton Town between 0800 & 0830:

In the evening it’s very busy from central London westwards between 1745 & 1830, although once you get to Gloucester Road you stand more of a chance of getting on:

The numbers seem to suggest that the loading to Rayner’s Lane is the same as Heathrow destined trains; in my experience this isn’t borne out. The data gives a hint towards this in that Acton > Northfields trains are busier for the same time window, but I wonder whether the lower frequency of Uxbridge trains skews this a bit.

Hopefully this gives you an idea of your chances of getting on a train in the morning – I’d love to see this baked into Citymapper.

 

 

💩

I’ve encountered a couple of bugs with internet-connected devices recently so I thought I’d document them in case some other poor soul had the same troubles.

Yes, I’m kinda aware I’ve brought a lot of this on myself but it does somewhat show that these things aren’t ready for primetime just yet. I’ve done the “sensible” thing and segregated IoT devices onto their own separate, firewalled VLAN although most vendors aren’t necessarily expecting this arrangement. Many devices do NAT hole punching which seems to work ok, except when there’s UDP traffic or IPv6 thrown into the mix. Explicit port forwarding seems to be on the (thankful) wane.

Nest Protect

I had a really strange experience when my Nest smoke alarms suddenly stopped checking in. They couldn’t jump on the network and even a reset failed with the cryptic error code P007(3.9). Their technical support has actually been surprisingly good but they couldn’t figure it out.

I eventually deduced that Nests will only try the first DNS server handed out to them over DHCP. If that one is broken (but a second/third/fourth is still up so name resolution is working for everyone else!) then they fail with this generic error.

Fix: make sure your primary DNS is working; Nest need to fix the bug in their firmware so they’ll failover gracefully (which you’d assume they’d do for a safety device).

Update 05/03/17: the bug doesn’t seem to have been accepted by Nest still so I guess this isn’t going to get fixed. If a single point of failure in networking for a device that’s supposed to tell you your house is on fire worries you, I guess don’t buy one?

Netatmo Welcome

I had a camera working for ages until one day it suddenly stopped and just showed “disconnected”. A reset similarly failed to get it back online and the setup process choked with generic errors about checking the internet connection etc.

Some hints from a forum led me to find that the camera runs an IPSEC tunnel back to Netatmo over UDP. This tunnel is initiated from Netatmo themselves and my stateful firewall didn’t appreciate unsolicited inbound UDP.

Fix: Permit UDP source ports 500 & 4500 from any public IP to the IP of your camera. Note that this is not port forwarding, just a firewall rule.

(I haven’t been able to pin down exact IP ranges this will come from as Netatmo use a variety of servers and they weren’t forthcoming with help.)

Philips Hue

Again, all was working super until one day geofencing and alarms broke. Trying to connect the bridge to the online account (My Hue) would literally cause the bridge to crash – it would remain on the network but be unresponsive over its mini web browser or even zigbee light switch presses.

Philips technical support haven’t been great and blame it all on home networking despite being given packet captures.

Fix: None so far

Workaround: Connect your Hue bridge into Homekit and use the automation features of Apple TV instead.

Update 05/03/17: this randomly started working again recently. Still no word from Hue support though.

Thoughts on the CISSP

Disclaimer: I’m a member of the SANS Advisory Board. SANS is a competitor certification awarding body to ISC2. None of the examples below are real questions from either exam and shouldn’t be used as revision!

isc2_cissp2I recently clicked over enough time elapsed (after deductions for my GSEC) to be eligible for the CISSP, took the exam, passed and after a wait, awarded it.

There are a reasonable number of comparisons out there between the GSEC & CISSP but none that I found that look at it after CISSP updated the common body of knowledge in 2015.

Broadly the style of the exams is similar in that they’re both computer-based proctored affairs at Pearson testing centres (CISSP used to be pen & paper!). The GSEC is shorter (180 questions against 250, 5 hours not 6) and also has the benefit of allowing one 15 minute stopped clock break at any point. The biggest difference though is that GSEC is open book, CISSP all has to be memorised: this allows the GSEC to test certain things akin to the real world like “which of these nmap switches would you use for x” (ie something you’d either google or use the help pages for). Both exams have scenario type questions: “you’re the security officer for widgets INC, which is the best firewall for a DMZ if you’re worried about DDoSs” and hotspot / drag & drop multiple correct answer types. Both allow questions to be flagged and revisited.

I found the revision for the GSEC adequately prepared me for the content and style of question I faced in the real exam. Mock tests are available, which again were fairly close to the real thing. The CISSP was not so – I read a variety of books (Eric Conrad’s), the SANS bootcamp course and the official ISC2 flashcards app but once in the exam the questions felt wildly different to anything I’d revised for. This isn’t helped by the 25 ‘wildcard’ questions thrown in that don’t count!

I’ve never failed an exam in my life but I honestly found myself at the halfway point thinking I’d failed it. Genuinely that bad. Where I could answer things quickly and confidently I did so; anything I was 90% on I answered but flagged; anything I had no clue on I left blank and flagged. The first pass left me with maybe 50 questions I had to go back and review, although I probably only changed a couple of answers on the second look. An actual advantage was gleaning information from later questions to use in earlier ones.

It’s certainly been said that to pass the CISSP you have to ‘think like a manager’ which I always felt was a bit derogatory but I think it really means to think at a high level, never be afraid to give an answer that refers to outside experts and always prioritise human safety.

The CISSP, like the GSEC, is certainly a mile wide and an inch deep – although I think the GSEC is maybe more like an inch and a half! For both, having experience in the field is certainly a blessing and a curse: you need some outside knowledge but you’re often tempted to add extra information into the questions – “I do change management differently to that at work”.

So which is the better exam? From an experience perspective I’d say the GSEC was the more ‘enjoyable’ and perhaps relevant to the day job. It certainly taught me some new things to take back to the day job too. But the GSEC is not so widely recognised so if you want to pass that automated screening bot on your next job search then maybe the CISSP is the one to go for.