Differences between TCP and UDP

TCP and UDP are two very different protocols.  I’ve spent a fair amount of time over the years explaining these two issues to our power engineers and technicians.  What better topic to post here.

TCP is more reliable but has more overhead.

Probably the most important thing to realize is only TCP has a true connection, where UDP simply streams packets.  TCP connections begin with a three-way handshake (SYN, SYN-ACK, ACK) which ensures that both ends of the connection are alive.  TCP also ensures that all packets are passed to the next layer in the proper order, and if any packets are missing they are resent.  UDP is a packet or stream of packets depending on the application.  The protocol itself does not care if the packets arrive out of order or at all.  TCP connections come with the additional overhead required for the reliability, making UDP seem like the ideal choice for low-bandwidth connections.

Before choosing protocols, consider the communications medium and purpose.  A remote ICS/IIoT device connected via a wireless or cellular connection should be configured to use TCP, whereas the same device connected to a leased line should utilize UDP.  My experience is that all cellular data connectivity including 4G experiences enough variation to cause problems for UDP-based devices, where TCP-based devices barely notice.  Additionally, I always recommend TCP unless you are bandwidth constrained on something like an old 56k digital circuit.

Voice, video or other data streams which can withstand missing and out-of-order packets should always be run over UDP for maximum quality.

TCP and UDP ports can exist at the same number

Since TCP and UDP are two different protocols, they are not mutually exclusive. UDP/443 is different that TCP/443. Take care when configuring ACL and NAT rules in your network, especially if the device does not differentiate between the two.

DNS is the most common example of this. UDP/53 is used for the vast majority of domain name lookups, while TCP/53 is used primarily for zone transfers between servers.  If you need to block zone transfers, then simply blocking TCP/53 might be enough (never tried myself).

Disagree with me or I missed something?  Please let me know with a comment!


Splunk query for privileged group modification in Active Directory

Here’s a Splunk query to list any changes to privileged Active Directory groups:

sourcetype=WinEventLog:Security (EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4756 OR EventCode=4757) 
(user_group="Domain Admins" OR user_group="Enterprise Admins" OR user_group="Administrators" OR user_group="Schema Admins" OR user_group="Account Operators" 
OR user_group="Backup Operators" OR user_group="Cert Publishers" OR user_group="Cryptographic Operators" OR user_group="DHCP Administrators" 
OR user_group="DnsAdmins" OR user_group="Domain Controllers" OR user_group="Read-only Domain Controllers" OR user_group="Network Configuration Operators") | 
table EventCode, EventCodeDescription, user_group, user, src_user | 
rename EventCodeDescription as "Description", user_group as "Group Changed", user as "User Added/Removed", src_user as "Changed By"

I have this setup as both an alert and monthly report to catch any undocumented changes to these groups.  You may also want to consider a monthly listing of these groups as well.

Decluttering your social media

I’ve decided that one of my new habits is to keep my social media footprint to a bare minimum.  Listening to the newly discovered Complete Privacy and Security podcast has definitively changed my mind on how I handle my opsec.  Mike and Justin do a great job with describing the ins and outs of exactly how our social media footprint can be used against us in many ways, not only by attackers but also by the company providing the service.  While their take on personal privacy is way too extreme for me, there is definitely something for every infosec professional to glean from this podcast.  I highly recommend it.

Besides covering my opsec, I wanted to purge any potentially embarrassing things that I may have forgotten about on my public persona.  Who knows what impact my party pictures from 2008 might have on getting a job in 2018?  Looks at all of the people who have been seriously burned when something they post goes viral, only to rain down troll hellfire on them when it is later discovered they have a picture of something offensive or embarrassing.


Purging my old photos was relatively easy.  You can access almost all of your photos in their respective albums.  I simply deleted the albums that I no longer wanted, and downloaded a ZIP file of the albums that I did want.  When you are judging what to keep and what to toss, remember how many of these photos are likely in your Google or iCloud account as well.  Tagged photos are more problematic.  They require that you manually untag yourself in each one – not a user-friendly task.  I recommend that you hold off until a bit later for the solution to this issue.

Purging my old Facebook posts was not as easy.  At first, I tried purging my Facebook posts manually.  I quickly ran into exactly why more people do not attempt this – Facebook doesn’t make this easy at all.  I spent a couple hours trying to clean up every post manually for the first half of my initial year on Facebook.  The process was brutal and caused a definite carpal tunnel flare up on my mouse hand.

My next attempt was to use a much-discussed Greasemonkey script called “Timeline Cleaner for Facebook.”  The product did not work as advertised, hiding instead of deleting the posts matching my criteria.  The script was also very slow, constantly popping up “script is taking a long time” warnings from Firefox.  I allowed the script to run for about three hours, but it only went back a little over a year in that time.

Finally, I discovered the “Social Book Post Manager” extension for Chrome.  This extension worked exactly as advertised and allows you to delete or hide all posts meeting certain criteria.  I was able to purge everything that could be purged from my first year on Facebook in just a few minutes.  A second run was able to hide everything else in a few seconds.  The only real drawbacks to using this plugin are that you can only delete/hide at most one year at a time and that you cannot automatically hide what you cannot delete.


Purging my old Twitter posts was dramatically easier.  TweetDelete is a web service that not only does a one-time purge, but it can also delete your tweets when they hit a certain age.  I simply signed up for the service and let it take care of the rest.  The whole process only took a few minutes.


I didn’t spend much time cleaning up my LinkedIn history – there just wasn’t a lot there besides my resume.  A few clicks and everything was cleaned up.

Once you have done the bulk cleanup, I suggest you review what is still available publicly.  If there is anything you think might hurt you in the future, you should probably just delete it.

Repealing Net Neutrality will hurt rural areas

I live in far Northern Maine – past the end of I-95. I would not have been able to earn my BS or MS degree without reliable internet at an acceptable cost. There are no local options for the MS in Cybersecurity that I earned entirely online.  I would have to leave for over a week to get my SANS certifications without access to their online training program.  And I would have had to drive three hours to take that same certification test if the local community college test center did not have reliable and affordable internet access.  There are also no local opportunities for me to network with others in my field. I am completely reliant on affordable access to the internet to grow my knowledge and network – including access to social media and streaming video for online courses. I am also very fortunate to have a well-paying job, unlike many in my area who live at or below the poverty line. How will their children be able to access these same opportunities without affordable internet access?

Most of Maine is rural, and *if* internet access is available to you there is typically only one option. I live in a town where I have two crappy options at the moment (Spectrum and Fairpoint) and one good local option (Pioneer Wireless). How long will it be until all of those options require pay-to-access? Even our local provider could be forced into the model if their peering partners require it. How long will it be until one or more of those local providers go out of business or decides to stop serving us due to lack of profits? Verizon has already proven this will happen by dropping a few hundred rural LTE customers who likely had no other options.

Repealing Net Neutrality will add just one more nail in the coffin in the death of rural Maine, just as it will many rural areas in the US. Thankfully, it looks like three of the four Maine representatives is onboard to support Net Neutrality (that third one is a squirrelly turd, so I don’t hold out much hope for him).

If you haven’t yet – please reach out to your Congress or Senate rep. It’s easy! Just got to https://www.battleforthenet.com/ and use their easy tool to contact them. Speak out on Twitter using the hashtag #NetNeutrality. Speak out on Facebook to your friends. Post your story on Reddit like I did. But most importantly – contact your government representative.  They are the ones with the real power to make a difference in this battle.

CISSP certification

I’ve been toying with getting this certificate for a while, but now I see this seems to be a golden ticket to get past the HR filters at larger companies. The cert demonstrates a broad knowledge of the overall security landscape and appears to be best suited to management types (queue pointy haired boss).

Working on my CISSP certification has been interesting. I have yet to purchase any books, but I have downloaded both iOS apps. I was quite amazed by how well I did in each domain test with no prep. Unfortunately my overall average is still about a 65 – not enough for me to pass with a comfortable margin.

My next step is to pick my way through the study guide app and Cybrary training class to see how far I can get without purchasing the book. I want to pass the test by end of year and get on with my other priorities. Wish me luck!

Random DNS lookups by Chrome

After a couple hours of boredom waiting for a conference to start, I decided to fire up Wireshark and see what I could see across the wireless.  I was greeted with the first few packets appearing to be my machine reaching out to random domains on the internet (see below). Something was attempting to lookup random hostnames on every domain in my search list.  This freaked me out more than just a little.  Was my machine infected with malware randomly trying to call home?

Thankfully, since I don’t consider Google Chrome as malware.  According to Bojan over at the SANS Internet Storm Center, Chrome attempts three random DNS queries to determine if the ISP is redirecting failed DNS lookups.  Chrome attempts to pre-cache pages in advance thus does a lot of DNS lookups while you are still typing in the address bar.  If ISP’s like Time Warner (now Spectrum) employ catch-all DNS zones to redirect failed lookups, then Chrome cannot utilize its pre-caching features.  Hence these checks which run in the background – apparently even when Chrome is just sitting in memory but no window is open.

Just another reminder to stop all external processes when you are packet spelunking.

At a crossroad

My family is approaching a major life crossroad: My stepson will graduate from high school next year and heading off to college.  We have all decided a change of scenery would be great for all of us. Our current home doesn’t offer much for his future, and there isn’t much hope of that changing. We’ve decided to move partially to support his education and reduce the likelihood he will start his adult life buried in the same financial debt many of his peers will face.

My wife and I are also looking forward to the opportunities this change can offer all of us, both personally and professionally.  We both languish in our current careers and feel trapped due to the limited opportunities in the area.  Our master’s degrees in our chosen fields should offer hope, but the failing local economy simply does not offer what either of us is looking for.  This has been our home since birth, but we sadly cannot see a positive future for our family here.

After 20 years working for the same company, the time has come to put some real thought behind the next steps in my career. I’ve been all over the map recently, but one theme runs throughout all of it – I want to focus on security. My experience in IT and the energy industry has shown me there are nearly infinite opportunities available. I could pentest, consult, audit, or anything else I can find a position for. How can I find something that suits my experience, desires, and financial requirements?

My current thinking is two-fold: First to commit to moving up the management track. I have a great deal to offer this role: mentorship, leadership, experience. And if anything, I’ve gained a great deal of insight into what not to do.  I’ve witnessed first hand how great leadership can take an organization to new heights, and conversely how failure to keep an eye on the basics can crush an organization from the inside.  I’m actively pursuing projects and training in my current role that further this goal.  My plan is to take not only what I know now, but a good base of ‘boring’ skills which are integral to good management: project management, finance, and communication.  I may need to step my way into the track in a lower role, but I can shoot for the moon until then.

Second is to commit to a real side hustle which will allow me to make some extra cash to finance my desire to learn other aspects of security. My initial plan is to start some limited vulnerability assessment work, using that to finance learning other aspects of the field such as penetration testing, etc. This blog is part of that effort – I don’t expect to earn any kind of meaningful revenue from it, but I hope to showcase some of my learning and work. I’ve also toyed with the idea of teaching over the years.  The quickest way to learn anything is to teach someone else to do it.

Now comes the scary part – putting this all into action. One step at a time.

Sendmail took down my site!

After a week of being very busy with other things, I wanted to take a few minutes and check on my blog only to be greeted by “Site cannot be reached.” SSH’ing into the site resulted in a similar response. So what happened?

A week prior, I decided that I needed to migrate Sendmail over to Postfix. That part was easy enough – the Postfix install removed Sendmail and after a few quick changes everything was up and running. Or was it?

At some point, either Linode or I rebooted the server. Suddenly the IPv4 interfaces would refuse to load. The logs show one error that repeats:

ifup /etc/network/if-up.d/sendmail Can't open /usr/share/sendmail/dynamic

It seems that wonderful removal process didn’t remove the one part of the network upstart job which called to Sendmail. This caused the whole process to die. Thankfully the fix was simple:

apt-get --purge remove sendmail sendmail-base sendmail-bin
sudo /etc/init.d/networking restart

Sometimes, I’m my own worst enemy…

Reference: https://www.linuxquestions.org/questions/ubuntu-63/sendmail-not-letting-me-restart-networking-service-667894/


Oh you sneaky bastards!

Equifax lost over 140 million customer’s personal information during a recent breach.  44% of Americans just lost control over their social security, drivers license, and credit card numbers along with their names, birth date, addresses…basically everything required to start building false identities and robbing them blind.

The company’s initial response is to give us all free credit monitoring…their credit monitoring.  Uhm really?  Couldn’t you hold on to my information right in the first place?  Why the heck would I want you telling me if the information you lost is being used to impersonate me?  Off to Credit Karma I go…

Equifax released the information after the market closed in an attempt to pad their losses.  So you put my money at risk, but try not to risk yours?  The stock has rebounded to $142/share this morning, which goes to show just how little investors care about the risks associated with this breach.

Here’s my professional opinion on this breach:  Nobody is going to get any wiser until you make a solid example out of them.  Equifax has more control over our financial lives than even our banks.  They should be brought to their proverbial knees to make sure all big business knows how seriously we take this.  A class action lawsuit that awards $10 to each affected person would levy a $1.4 billion fine, plus the SEC fines that will likely be involved.  Additionally, the company should be forced to create a trust fund set aside to right any wrongs caused by their negligence.  It should be managed by an impartial third party and be held against the company’s financials as a liability.

A huge fine would create a definitive material impact to Equifax’s bottom line, likely lasting for years to come driving the stock down.  Being forced to maintain such a huge liability would further poison the waters for future investors.  The market losses alone could be enough to educate larger investors to be wary of security risks in the future, and would definitely bringe the ire of regulators to hopefully set more stringent regulations on credit bureaus.  Wait…do regulations do anything but create auditors?

Or we could just Fight Club this one…

Where to check if you have been affected: www.equifaxsecurity2017.com


  • https://www.wired.com/story/how-to-protect-yourself-from-that-massive-equifax-breach/
  • https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/
  • http://www.worldometers.info/world-population/us-population/
  • https://www.google.com/finance?q=NYSE:EFX

Update 9/8/17 10:47am

It looks like all of us poor schlubs who signed up for the free TrustedId service also waived our rights to join a class action lawsuit, buried deep in their terms of service (Thanks TechCrunch for pointing this out to all of us in the TL;DR crowd).  We might not have given up our rights just yet, as all of us who started the enrollment process don’t appear to have actually enrolled yet.  I was told to come back on 9/12 and finish the process.  Sorry – I would rather sue.  Hopefully, I still can.

Oh wait – these putrid fuckers sold over $1mil in company stock after the breach but before public notification?  “But I didn’t know…so it’s not insider trading?”  Can we prove beyond a shadow of a doubt there were no whispers around the water cooler?  This reeks of insider trading – even if they didn’t know at the time.