Category: cybersecurity

Changing Mastodon Servers

What is Mastodon?

Mastodon is free and open-source software for running self-hosted social networking services. It has microblogging features similar to Twitter, which are offered by a large number of independently run nodes, known as instances, each with its own code of conduct, terms of service, privacy policy, privacy options, and content moderation policies.

I would argue it is better that Twitter primarily because it is not owned by Elon, but also because there is no algorithm choosing what you see, there are also no ads.

Why Change Servers?

Since each server is like it’s own community, you want to find like minded people on your server. Since I have been so absorbed in cybersecurity I initially chose to join ico.exchange. They had an instant join policy at the time, which means, no one had to manually review my application to join the server.

However, since joining I’ve followed more and more of what is going on at infosec.exchange. I follow more people there as well. So I finally decided to switch over. Which is not hard.

How I did it

I followed these step-by-step directions, which worked without issue for me. Since I hardly had anything on the server, I’ve only been on for a few months and I don’t post as much as many others, I don’t really find the downloading archive step necessarily, although it was nice to have a copy of my avatar image for the new server. What was necessary was the CSV of the followers, so I could follow the same people at the new server I was at the old server. Your followers are automatically notified that you have moved and follow you on the new server. There is nothing more you have to do. One big caveat is that you lose all your old post. They do not make the move over with you. So if you are thinking of moving servers do it before you have to many post or at least post you care about. Good luck!

Kali Linux and PicoCTF

Update…

This youtube video that I posted before worked absolutely beautifully on my M1 Mac. Absolutely no problems or troubleshooting. It’s not often you get a youtube tutorial that runs that seemlessly! UTM is new to me, I had always used VirtualBox in the past, but this was perfect. I’m very happy with my newly installed Kali VM!

I just ran through PicoCTF “Python Wrangling” using the install. Python was already installed, so nothing to do there, just downloaded the files and used them. Insanely easy. That was fun!

PicoCTF

What is PicoCTF?

picoCTF is a free computer security education program with original content built on a capture-the-flag framework created by security and privacy experts at Carnegie Mellon University.

It has training available for those who want to learn more about computer security. I just signed up today and followed along with this youtube to do the first challenge. For me it was VERY easy, so don’t be afraid to dive in. You don’t have to have any prior knowledge or experience to jump in. You can use any operating system (Windows, Mac, Linux). They have everything you need to do this first CTF.

Kali Linux

Disclosure: I used ChatGPT to assist in writing parts of this post. I like paying with it to see how it does. Really impressed so far!

What is Kali Linux?

Kali Linux is a Debian-based Linux distribution designed for digital forensics and penetration testing. It is a popular choice for ethical hackers and cybersecurity professionals because it comes pre-installed with a wide range of tools for tasks such as network reconnaissance, vulnerability scanning, and exploitation. These tools can be used to identify and exploit vulnerabilities in systems, networks, and applications, which is important for understanding how to secure them. Additionally, Kali Linux is free and open-source, making it accessible to anyone interested in learning about cybersecurity.

How can Kali Linux help me learn about Cybersecurity?

Using Kali Linux can be helpful in learning cybersecurity for several reasons:

  1. The tools: Kali Linux comes pre-installed with a wide range of cybersecurity tools that can be used to perform tasks such as network reconnaissance, vulnerability scanning, and exploitation. This can give you hands-on experience using the same tools that cybersecurity professionals use in the field.
  2. The community: Kali Linux has a large and active community of users and developers who share information, tutorials, and resources. This can be a valuable source of information and support as you learn about cybersecurity.
  3. The environment: Kali Linux is designed to be used in a penetration testing environment, which simulates a real-world scenario where an attacker is trying to find and exploit vulnerabilities. This can give you a better understanding of how attackers think and operate, which can be beneficial in understanding how to secure systems and networks.
  4. The flexibility: Kali Linux is Open-source, which means you can customize the operating system to your needs and you can also build and test your own tools and scripts.
  5. The availability: Kali Linux is free and easy to download and install, making it accessible to anyone interested in learning about cybersecurity.

Overall, Kali Linux can be a useful tool for learning cybersecurity, as it provides a practical environment for experimenting with different tools and techniques. However, it should be used with caution and under guidance, as it can be dangerous to use without proper knowledge and understanding.

How do I install Kali Linux on a Mac?

Installing Kali Linux on a Mac computer can be done using virtualization software, such as VirtualBox or VMware Fusion. Here are the general steps to install Kali Linux on a Mac using VirtualBox:

  1. Download and install VirtualBox on your Mac from the official website.
  2. Download the Kali Linux ISO image from the official website.
  3. Open VirtualBox and click the “New” button to create a new virtual machine.
  4. Give the virtual machine a name and select “Linux” as the type and “Debian” as the version.
  5. Allocate memory and create a virtual hard disk for the virtual machine.
  6. On the virtual machine settings, click on “Storage” then click on the empty CD icon and select the Kali Linux ISO image you downloaded
  7. Start the virtual machine, it will boot from the ISO and you will be prompted to install Kali Linux. Follow the on-screen instructions to complete the installation process.
  8. Once the installation is complete, you can start using Kali Linux on your Mac in a virtual environment.

It’s also worth noting that you will need to have at least 4 GB of RAM and at least 20 GB of free space on your hard drive to run Kali Linux Virtual Machine smoothly. It’s also important to note that running Kali Linux on a virtual machine may not provide the same level of performance as running it on a dedicated machine, and some of the more advanced features of the tools may not be available.

Installing on a Mac with Apple Silcon (M1/M2)

My requirements are a bit different so I’m going to try using UTM as outline in this youtube. Wish me luck.

How I Earned my Certified in Cybersecurity Certificate for Free

In my company, someone posted about (ISC)2 giving away certifications. (ISC)2 is the same company that provides the CISSP and other certifications that are well-recognized by companies throughout the world. This One Million Certified in Cybersecurity initiative started at the end of August 2022 with a press release on their website.

I was intrigued and signed up. It is free, there is nothing to lose but time. Even if you fail, you still learn something. The certificate they are helping people receive is called Certified in Cybersecurity (CC). It is a beginner certification and you need no experience to start. Step by step instructions are here, but I want to share my own experience.

The free training is split into 5 sections/domains/chapters. I took one a week. After taking the training I signed up for the test which was two weeks out. I took that time to study, going through the terms and making sure I understood the ideas behind the terms.

You have to take this test at a Pearson VUE center. This was my first time taking a test at Pearson and I found this video very helpful.

I can’t say anything about the test, other than with the studying I did and the (ISC)2 training I was well prepared. You have to sign an NDA before taking the test.

I really enjoyed this program as it helped validate my feelings that I understand cybersecurity fundamentals. I highly recommend it. There is one small catch… After you pass the exam you need to pay your first $50 annual maintenance fee in order to obtain your certification. For me, this was a very small ask for getting free training and a free exam. The exam is usually $199. It is a great deal.

Access Controls

Discretionary Access Control (DAC) – A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be.

Mandatory Access Control (MAC) – Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

Role-based access control (RBAC) – An access control system that sets up user permissions based on roles.

Risk Treatment

Risk Treatment is making decisions about the best actions to take regarding the identified and prioritized risk. There are four types outlined below:

  • Risk avoidance is the decision to attempt to eliminate the risk entirely. This could include ceasing operation for some or all of the activities of the organization that are exposed to a particular risk. Organization leadership may choose risk avoidance when the potential impact of a given risk is too high or if the likelihood of the risk being realized is simply too great.
  • Risk acceptance is taking no action to reduce the likelihood of a risk occurring. Management may opt for conducting the business function that is associated with the risk without any further action on the part of the organization, either because the impact or likelihood of occurrence is negligible, or because the benefit is more than enough to offset that risk.
  • Risk mitigation is the most common type of risk management and includes taking actions to prevent or reduce the possibility of a risk event or its impact. Mitigation can involve remediation measures, or controls, such as security controls, establishing policies, procedures, and standards to minimize adverse risk. Risk cannot always be mitigated, but mitigations such as safety measures should always be in place. 
  • Risk transference is the practice of passing the risk to another party, who will accept the financial impact of the harm resulting from a risk being realized in exchange for payment. Typically, this is an insurance policy.

I’m posting this because it is a concept that I have in the past been confused on. For example, mitigation and transference can be confused in the following way. If someone buys software as a decision are they transferring the risk to the manufacture of the software? No, this is an example if mitigation, because no other outside party has taken responsibility.

I also think that risk avoidance should just be called risk elimination. To me avoidance sounds a lot like taking no action, which is actually risk acceptance. Very strange way to think about it!