When I got an email giving me the opportunity to work as an intern for Tripwire, I jumped at the chance. I have always been intrigued by the world of cybersecurity and ethical hacking, so this internship truly struck home. The internship started with going through the 2017 Verizon Data Breach Investigation Report (DBIR) over the summer. The goal was to understand the motivations and costs of cyberattacks, as well as the usual vulnerabilities and exploits that continued to compromise systems around the globe. We also discussed how servers should be secured based on companies' individual needs for optimal security. For our internship, we built a robot that was controlled over the network. It came with a Python-based client that connected into a flask based server applet. Our goal was to harden the server to prevent attackers from compromising and controlling the robot. First, I decided to harden the server with iptables and fail2ban. I wanted the server to drop inbound connections that were deemed malicious, slow down attackers, and make the device harder to find on the network. I also set up dynamic iptable chains to start dropping packets from ip addresses that attempted to connect to the Raspberry Pi too many times. This was designed to be a small active defense system for the Raspberry Pi with an end goal of punishing scans and exploits that tried too many ports. Another important addition to the hardening was encryption. The first step was adding SSL encryption to the Apache configuration. I also wanted to protect against Man-in-the-Middle attacks that could potentially offer a way to decrypt our commands. I focused on adding a combination of AES and SSL using the pycrypto library to encrypt the POST data. I felt the multiple layers of encryption were needed to protect the SSL handshake from being sniffed – the Achilles heal of the previous year's robot. Next, I had to take care of the loose ends, such as hiding the index and adding basic authentication to the Apache server. This followed the best practices of hardening a web server that we learned in the first few days of reviewing the Verizon DBIR. With the last few days before giving Tripwire a chance to attack the robot, I decided to develop a new way to communicate with the server. My idea was based primarily on port-knockers, a security tool that drops all connection to the ssh port until a certain combination of ports are knocked. However, I designed mine to make the Raspberry Pi drop all connections and read through the log of dropped connections with the end goal of eventually having a completely invisible (at least to network scans) Raspberry Pi that could only be controlled through an ever-changing combination of ports. Despite my motivation to complete this project, it quickly became clear that limitations of time, hardware and knowledge would prevent me from completing the project. However, I was able to make a working proof of concept code here. On the final day, about three hours before Tripwire was invited to attempt to attack the robot, I found a honeypot program for the Raspberry Pi. I quickly added it to a second Raspberry Pi device and configured it to look like the robot Raspberry Pi with the end goal of creating a diversion to reduce the attacks on our real device. This took about 15 minutes to set up and test. During the hack-a-thon, Travis and a team of three other Tripwire employees set up in a conference room and began reconnaissance on the real and fake Raspberry Pi devices. For about 15 minutes, the honeypot was significantly attacked because of its unique telnet client and a lack of a ssh connection. However, Travis was able to determine which one was a true Apache server by capturing the server responses. He was also able to successfully MitM the connections, capturing my credentials for the basic authentication. However, the double layer encryption prevented him from decrypting the pi commands, and two hours passed without a hitch. It is at this point that I truly related to the idiom “pride goeth before a fall” on a deeper level. After about one hour, I realized I could watch my iptable configuration ban people, and my ego skyrocketed from there. I watched malicious IP after malicious IP get banned through a ssh connection directly to the Raspberry Pi, and I loved every minute of it. Yet, because I left this ssh (root permissions by the way) console open on my computer, Travis was able to have the rest of the Tripwire hack-a-thon team distract me while he created a new user and compromised my robot within minutes. In hindsight, I was shocked at how unintelligent and foolish my inability to lock my computer screen had been, yet it was one of the largest conceptual lessons I learned there. People are just as vulnerable as computers. Now with my internship complete and the school year starting, I look back on my time at Tripwire as one of my greatest learning opportunities. I entered into Tripwire a complete novice and left with a large pool of knowledge on cybersecurity tools, methods and an appreciation for how hard companies work to protect my data in the evolving world of cybersecurity. About the Author: Sean Sullivan is currently a senior at Beaverton High School. Over the summer of 2017, he worked as a cybersecurity intern for Tripwire. Currently, he plans to go to Oregon State University and study either mechanical engineering or software engineering. In his spare time, Sean enjoys camping and windsurfing. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
