De-Coder’s Ring

Software doesn’t have to be hard

Month: September 2017 (page 2 of 4)

Threat Hunting: The Network and PCAP

Getting back to a technical topic, let’s talk about PCAP.    Is an abbreviation for Packet Capture.   PCAP is the industry standard format for capturing, storing and analyzing network data.

PCAP was made ubiquitous thanks to ‘libpcap‘, a pretty common *nix library for network monitoring and manipulation.  libpcap is enabled via some super simple (to use) tools called tcpdump and tcpreplay.   These allow a developer/analyst to work with the data, over real or virtual networks.

Those tools are command linux utilities for experts to use primarily, but they’re simple to get started with.   Alternatively, you can use a tool called Wireshark to monitor, capture and analyze network traffic.  Wireshark is free, and has some great features around session decoding, traffic analysis and filtering.

Without jumping into too much detail in this post (more information can be found in the video below), we’ll go over some high level information about what a packet looks like.

A packet is a chunk of data, sent across a network.  A packet can contain a full message, or can be one component of a much larger stream, that’s used to break up large pieces of data (movies, songs, pictures, etc) into bite sized chunks.

A packet contains a header, which tells the network gear things like source and destination address, timestamp, protocol and packet size.   Network data can be classified in different layers, reference the OSI Model.   Each layer up from the ‘physical’ layer can be thought of as more specialized.

An example of that would be an HTTP (layer 7) packet, contained in a TCP packet (Layer 4) within an IP packet (layer 3) which is contained in an Ethernet (layer 2) packet.    The ethernet packet has very little information in the header.  Source, destination and what protocol the next/layer 3 packet it.   The address in the ethernet packet is a physical/hardware address.   An IP packet is potentially a globally reachable packet ( ) and the TCP packet adds application ports.

Here’s an example of the packet break down for an HTTP request.   (( FYI:  Wireshark puts layer 7 at the bottom, while I said layer 7 is at the top ))

HTTP Packet

HTTP Packet

Calling all Cybersecurity Technical folks!

Over the next time period, I’m planning on putting together some interviews in podcast format between me and some security folks that I know.  I also to meet some new ones in the process!

There are tons of security podcasts and interviews with security folks.  Most seem to be covering current events, outages, new threats, etc.

My goal is to bring focus on the technology that we use in the security landscape to fix things, but to also talk about some best practices when it comes to creating new tools and applications.

Know anyone I should talk to?

Some potential job titles:


VP Engineering/CTO

Security Architect

Security Analyst

… etc

send them my way!



[[[  at ]]]]


(((((  dot )))))




Indexed Data: The Common Stack

Throughout the past 20 years of my career, I’ve seen a lot of data.  Small data applications that handle a few transactions (re: blogs),  large applications (multi-tenant network data collection).

Just about every single one of them has dealt with text searching in some capacity or another.

These days, if I’m moving data in work projects or fun/personal projects, I’m relying over and over on the same stack.

Logstash/Beats -> Kafka -> Logstash -> Elasticsearch with some cool visualizations in Kibana.

Want to know why?

It just freaking works. Especially well for time based events.   Even if it’s not time based, it works.

… best of all?   It’s all freaking free.

You can stand up a single node with all of the above on it.    Easy.  Sure, it won’t scale on a single node, but, each component of that list scales horizontally.

Prototype small, grow big.

Thoughts on Equifax – Tokenization

The past week’s news cycle has been covered by information regarding the Equifax breach.  There are rumors on how the breach happens, rumors and accusations (arm chair judge Judy and executioner) about improper stock sales, and a half million class action law suits.

(I exaggerate on numbers)

This post isn’t going to talk about breaches in general, it’s not going to talk about this breach from a technical standpoint… what I’m going to talk about is something different.

If your bank gets hacked, crap, that sucks.   If your doctor/insurance gets hacked, crap, that sucks.   They’ll sign you up for identity protection, and you’ll forget about it.

The interesting part about Equifax, is that you don’t have an account with them.  You’ve never interacted with Equifax, unless your credit score… but guess what?  That’s not the information that got stolen.

The data that got stolen, the super important data about your life, was given to them by other entities.  Your bank gave them your information.  Your credit card company gave them your information.  Did you know they did that?

You gave them permission to in your contract, but, did you realize you did? (Of course not, no one reads the fine print!)

Now that you’re ticked off because someone else shared your data, to someone who couldn’t protect it… what do you do?


That’s the way credit reporting and your credit score work.   For you to have a credit score, entities have to report to Equifax, Transunion and Experian.

What could have been done?   Tokenization.

There’s a concept in security, and more specifically secure data storage and transmission called tokenization.  Essentially, a developer trades a secret piece of data (SSN, account numbers, etc) and swaps it for a token.   The token can later be swapped back for the initial piece of data if necessary.  This is great inside a company, like a bank.  Instead of storing a SSN in a operational database, you store the token.  The only time you need the SSN could be printing paper that needs it, or filing a legal document.

There’s a challenge with tokenization for credit reporting.  Every bank needs to report someone like ME as the same person.    Bank A can’t have token 1234 for me, while Bank B reports me as ABCD.  They both need to report me as the same.   If Bank A and Bank B can both report on me as ABCD1234 then Equifax et al, don’t need to know my SSN.   The banks I have a relationship do.

How do we accomplish this?  That’s the big big challenge…   could be my next billion dollar idea… (yeah, I just gave it away, but, execution is 99% of the challenge)


Older posts Newer posts

© 2017 De-Coder’s Ring

Theme by Anders NorenUp ↑