Blog 3 — The Art of Cyber Tech

08.29.2025

Going forward with AI security will have to pay attention to AI drift, input, and API type things. A different set of monitoring types. Unlike traditional software where there are more predictable process and activities, AI processes can go different directions, and drift. There will be different monitoring and controls for that. And since AI is asked to do things, there will need to be monitoring and controls around that too. Things like stopping an input to unpatch something or add bad data.

And if AI does something bad, do we have to call HR?

08.26.2025

Low cost VPNs

Low cost VPN service come with a lot of risks. The travel path maybe starting in Russia and route through Amsterdam, before hitting your org. The risks include weak encryption, malware and adware, data logging, DNS and IP leaks, and more. The best options for protecting the organization is to use MFA, use IDS/IPS tools with block type rules, network segmentation, and patching everything. And of course monitor for successful connections, not just the failed ones. Low cost VPNs tend to get overlooked as an attack. surface, but is one that need to pay attention.

08.15.2025

An old engineer saying

They use to say there fast, good, and cheap as choices when building something; and you can only pick two of the three things. Something can be good and fast, but it will not be cheap. It can be good and cheap, but not fast. Sometimes the business part of saving cost is the first and foremost factor that determines this. AI may build software quickly, but there are still bugs and security holes in it. But the need to get your product out there fast is something hard to avoid when you want good and cheap. And it is fair to say that using AI to build apps address the cost saying side and not support and deployment things. Many things now are the devil of good and fast, but cost is the king. Plus it takes time for buyers of software to move from a Salesforce to an AI created option, just as it does when we move from one app platform to another. And that includes the average 3 year contract cycle. The creator may make their choices or fast, good, and cheap, but, the buyer likely will lag behinds. The creator is chasing market share and the buyer lags behind that as well.

07.31.2025

Servname not supported for ai_socktype

Everything with computers is a clue. If you discover an FTP server out there example ftp.cutepugggies.com and run dnsmap, you will likely get some sort of IP address output for the domain link. Then if you try to open a link to that FTP server and add -A, you may get the ai_socktype error which is in reference to TCP and UDP socket.sock.stream and socket.sock.dgram, respectively. Meaning the server accessed the connect on some level and let you know ops that is not allowed vs giving you back nothing. Tells us that we are making contact. From there you just need to keep digging. And of course fix the security issues.

07.30.2025

Getting AI past being a spell check

From investment firms concerns to security issues, AI is still trying to get there. It is still an idea in search of being a product. AI is not yet a product like an iPhone, that the next money earning wave can be shouldered. In a recent Bloomberg News article hey noted that some hackers were able to instruct an AI tool to basically un-patch itself. In other example hackers were able to inject their code into things coders used. When the coder used the AI tool it returned code with intended security holes in it. If we take a step back from the business side of using AI and look at it as security engineers, the first thing to see is the AI tools and the code it returns to the coder, is not check by AI. Our want from AI is that the code it gives back would be bug free. And in time AI should replace the general EDR system. At this stage AI is a faster search engine with better input tools. It is no yet a solution that will write error-security-hole-free code or write original security monitoring apps. The challenge for us the security engineer is that the cost savings to let AI output 80%+ of the code the company will us, has bugs and holes in it. The financial savings part is a hard point to overcome when security holes are an abstract until someone tells AI to un-patch its code and we are hit with ransomware. When the company saved costs by reducing the coders we have from 100 to 30, saying but we could get hacked, seems hollow at best. Tough being us.

07.23.2025

Use the tools

A common situation that happens is most companies is not building out a security app after deployment. In next gen firewalls, SIEMs, EDRs, etc. often we do not use all the available options. We get into habits and trying a unused feature takes on a risks element to trying. We often find very few of the security features are used in next gen firewalls. We often do not mine data out of our SIEMs. Build automatic workflows. Build custom alerts based on knowing our environments. Out of the box are the words guiding us. We rely on the vendor assuming they are covering everything when they are covering a enough for it to work. Some of that is the sense that we just spend a ton of. cash on the app, why do we have to do the work. Fair enough, but, security apps are tools. They are frameworks you build off of. Security apps are not a end in themselves and are open to expanding the use. It is the goal to protect the enterprise, and that includes building out tools after the deployment. And that means learning new skills and getting better at new things.

07.21.2025

One small thought

Always deal with remote execution vulnerabilities in your compute environment. And not just OS related ones. Most of us are okay on patching the OS. Less are good about updating apps and related things. Having a web server with a remote execution exploit with ports 80 and/or 8088, will be discovered. It is not hard to discover websites by scanning for domain names and then determining OS, web server brand, and the relative ages of all that. So if a hacker finds payme.highworldfinding.com scans for the open ports and finds port 80 open, they can run Nikto or the like and find vulnerabilities and other bad things. Patching apps and doing some basic pen testing is a cheaper way to securing environment. And it is not the hardest operational process to put in place. And final thought, a vulnerability management solution generally points out the exploits, they don’t fix them. That part is on us.

07.18.2025

Network Packet Sniffer, VM scanning, and Alerting

There is activity that happens continually in a computing environment, that largely go detected or even watched. Think of the general monitoring tool. Most do not have network packet inspection. So if, someone is scanning your network from the outside, other then some things on the firewall, would will alert us? Curious about the gaps EDR’s have I did some testing were I used Wireshark and then ran a series of tools, such as, nmap, zenmap, recon-ng, etc, to see what wireshark would show, and what a custom alert or monitor rule could be used to detect things. The first stark result is wireshark displayed a lot of red traffic and from my Kali laptop as the source. The least that happens in the firewalls and VPN devices should have events. And if the network devices are configured data sources for the EDR’s or SIEMs, we should at least get some raw logs information. There is also clues that come out of barrier system raw logs. If we see X access attempts from a blacklisted IP or country in y seconds/minutes, on your SIEM/EDR systems, there is a good chance there is not a solid rule (or at all) configured on the barrier device. I had one situation where a backup VPN device was out of date and did not have a rule to block hack attempts to that device. The device was discovered and parties were send thousand of attempts, because they could. Once a rule was added that helped reduce the attacks.

07.17.2025

Your item has shipped, click here to track it!

But wait all it say is the label has been created, not shipped. My guess it is a marketing thing trying to be too cute. Invoke the rush that my stuff is on the way, when it is not. Brand trust is a critical thing. After getting the message your item has shipped 2-3 times when only the label was printed, creates negative reactions toward the firm in customers minds. Oh they are playing me. Getting my hopes up like a cheap thrill. Tech needs to help build brand loyalty and trust. We should have the message be the label has been created, almost there. Then send the item has shipped message, whwn it really was shipped. But only when it has in fact shipped. Seems we are missing an opportunity saying an item has shipped when only the label was created. We are all in sales as the saying goes. Marketing please take note. Stop making our jobs harder.

07.16.2027

More Fun with Python

It maybe silly of me but I get a kick out of running pyhton -m http.server 800, then going to a browser and typing http://localhost:8000 and seeing the directory tree. And navigating the folder structure and opening files without vi or the like, bridges the system OS gaps. All that I was doing on a kali linux Thinkpad Carbon X1 5th gen. I was also running some test to see what Wireshark picks up when creating reverse shells using python to create TCP/UDP stacks, etc. Sure Wireshark is a packet sniffer and most EDR’s are not, but I want to understand why EDR’s cannot detect someone creating a python UDP client and then running a python ncat type tool? Part of the game. Black hat are trying to find the gaps and evade sec-app-tools. It is good to learn how and where the licenced app we spend huge money on fail and don’t even look for.

07.15.2025

SAAS paid monitoring is not a get out of jail free card. There is a lot that does not get watched. Some solutions, well known ones at that, use. tactics to show us a lot of data which does not line up. In one such tool there was an event where host 1 comminuted with host 2 for the first time. And that generated an alert. However, in the event data stream there were 150 account lockout events. After much searching the two sets of alerts were unrelated. The act host 1 talked to host 2, had nothing to do with the lockout events. So why are you showing me the huge blob of data? Well that is just how it works. And I should know to just like a tab for “alerts” that is for the “actual alerts”. Which to me was not the point. I asked several times why the extra unrelated data was being shown, and no answer was coming. The vendor product support engineer had no idea. It really was just how it worked. Personally, I think it is to give the sense more is being done than there is. The service is a paid SAAS more data even disjoined, is better, for them. The other issues was why was I not getting alerts directly for lockout events? I had to write a custom alert to find that on my own. Paid IR is are magic words. They are the promise of for a little money we will cover everything. Of course, I am more critical these days. After hard work to understand what I am looking at, I can see and find the gaps. I can see what is being covered and watched and what is not. Many think all data is recorded to a log and an EDR or SIEM just catch it all. But even in an AWS we have to capture data to a S3 bucket and create custom alerts to be warned. But many just think the money paid for a service just does that. Not as much as we wish. If we write crap API code and don’t make it secure, monitoring solutions will not find that stuff. If your web site always frame insertions, you have to use OSINT tools for that. Some enterprise solutions don’t even monitor is a child process has the wrong root process ID, or, notepad is making LDAP queries. But because we get event ID 4740 for account lockouts (from the DC security logs), it gives us the sense all things are covered. No tool paid or otherwise can do everything. But, we need to see and mind the gaps, before we paid up for 3 years.

07.09.2025

Pen Test Yourself

A few times a year I like to run pen tests against my home devices and network. The normal things of what vulnerabilities that maybe showing up. I may start with Armitage and do a nmap, to see what is showing up, and what services. You can use zenmap, and other tools. And switch to Metasploit if Armitage does not have all the exploits available. Like any pen test these tools may not find everything. So have a little fun and see if you can gain access to your own systems. See what the kid next door wanting to be a hacker and try to access you. Be the kid hack yourself. If nothing else you learn more how to find things, and understand things. Many security engineers come from Windows OS backgrounds, so, the habit is if you patch the OS and have anti-virus running you are good. Right? Plus, the more you can pen test yourself, the more you see the gaps EDR and other monitoring/scanning tools miss, or just don’t look at. Not all security tools check child processes having the same root process, as the root process does. The first defense is always patch the OS and apps, but also update apps. Then pen test your own kingdom.

07.02.2025

Just a musing…

With AI it is supposed to give us better searches. However, I have been finding that is not always the case. I searched for what beers available in the 1960’s are still sold today, and it only gave me a list of beers no longer available. In some search engines it seems like the first thing it gives us is an AI generated summary of a topic. Then everything additional is their old searches. Then in other ways, they try to make it seem AI is writing something on the fly. It seems more the search is finding a Python script and just displaying the result line by line making it look like AI is writing it. Marketing. But, the blob of data when you search on what does expensive query mean, it does write precise writing. Very uniformed. You can tell a human did not write it. That is great for dictionary type things. I have never used an AI tool to write a term paper, but I think it would be noticeable the student did not write the term paper. I mean each person has their own way of presenting writing. Most of us are not so precise. In a professional chess match they track how well each player picks the correct next move. Most grand masters are in the 90% ranges, but never 100% correct. You can ask humans to write an article about global warming and some people will be wordy and put in too many, one the other hand things. AI gives a precise document on a topic with a lot of data to get the article from. Then output the data in a precise way. And most code AI gives us is not perfect. Someone still has to review the code. It appears to be writing code on the fly, but then it should be original and not have bugs. Who wants to bet there will be a future event, where coding bugs in a DLL blowed up the world , because every AI used the same DLL ito learned from?

07.01.2025

Tech Tips - The EDR Trap

There is a habit we have bore out of too much to do and tech changing too fast, to over trust EDR apps. We tend to think that an EDR system is covering every process and activity going on our computers. The true is closer to they only monitor a small number of things. Vendors or staff has to code every rule that looks for things that need to be alerted on. That would be a too costly effort. No vendor app could be affordable if they covered everything. And that is not taking into account the resources needed. Next time you have a security monitoring vendor in for a dog and pony show as the questions, If someone tries an API injection hack, do you monitor that, and, if a child process changes the root process ID, do they alert on that? Sure they will tell you if someone was added to the domain admins group, or, sets a user password to expire, or, reads DC security logs for event ID 4740, most do. They tend to give you these types of alerts, but go less deep than you think. When you buy an EDR system you think it is covering more than it is and because we spend money, it is the vendors problem to cover things. The best we can do is pick flexible solutions that allow custom alerts and rule from the collected data. And don’t assume if you point a data source to a SIEM that everything is picked up. In most cases if you have an in-house app and credit cards numbers are recorded to a log, don’t assume that log is read and the CC write is captured to the EDR or SIEM. Generally you have to create a collection type and write custom rules to generate notices. If you create an app in AWS you have to create the collection and write custom rules in Trail-guard. Then port that collected data to a SIEM. It is not magic. We still have to do the work.

06.27.2025

Tech Top - Zenmap

One Security tool that most people find helpful and easier than most is Zenmap. Zenmap has a nice GUI UI that is easy to understand and use. With Zenmap you can scan whole IP subnet or a single host. There are an array of scan levels from intense to ping to regular scan; depending on you needs. From the scans you see a lot of information such as open ports, the type/brand of router, and host details. I tend to use Zenmap for internal as a house keeping tool. It shows me what hosts have appeared in different parts of the internal network. What OS or its last boot. Zenmap may not be used for pen test where nmap maybe more common, but it has its place in your tool box.

If you search Zenmap usages you may see it’s a limited vulnerability scanner. This tool is more of network and host discovery thing. Nmap and other tools are better for vulnerabilities. And that is from an external testing perspective. For internal vulnerability scanning use something like Rapid7 VM or like tool.

06.26.2025

Tech Tip - Using Python to create TCP/UDP Clients and Servers.

When pen testing sometimes access to a target requires a TCP client ro test service or send data. To do these we can use Python to create a TCP/UDP client. This involves a basic amount of code

Import socket, Targethost =, argetport, client = socket.sock(socket.AF_INET, socket.SOCK_STREAM), etc. You get the basic idea. There are like coding to make it a UDP client and a server. From there we can use python to create a sniffer or use Burp Suite and other tools. Python can give us the tools to probe systems that do not have the tools install.

And, it is good to know how these things work. Hackers sure do. Us on the inside need to know how things work to safeguard against the bad guys.

06.25.2025

How could this happen????

That question came up when it was discovered that a coin miner had been install on a linux server in company X’s server farm. That was not such a mystery. The server in question was a web server with port 80 open to the internet. Then the server was running an out of service version of Tomcat. The unwelcome guest just used an OSINT app like recong-ng to get a list of domain names and IP’s, and then ran an app like Nikto, Metasploit, or even nmap to discover vulnerabilities. With the open port 80 they had a good idea it was a web server and then what kind of web server. Then it was just a matter of exploiting a remote execution and gain access to the box. There are two things to be learned from this. The first is always update the apps on a server. Just patching the OS is not enough. The second is many servers are public facing and there are many OSINT tools that anyone can use to discover you. I regularity run recon-ng to see if senior team members went into the wild and registered their corp name at an event or conference (happens a lot and they use the same internal password).

But when we are spending a ton of cash on SAAS solutions we think they cover more than they do.

06.24.2025

Small tech tip.

Have you ever been trying to test somethings or see how a open. source app works but needed a web site? There is a simple option to having that. It is using Python3. Python3 has a command python3 -m http.server 9000 (port). That starts a mini website. If you open a browser and type http://localhost:9000, it will display a folder list. Using this simple website you can run a scan using Nikto to see what security holes there is or test using Burp suite. It is limited but useful.

03.24.2025 The Art of Cyber Tech

If anyone spends any time in. the red-blue team activities or even the black-gray-white-hat areas, you may have noticed that there are not a lot of pen testing tools around files. Some monitoring tools will have detection rules for downloads and uploads of files. They may have detection rules that say user bob1 downloaded 11 files from SharePoint or OneNote, and say that extra file is X% more than the rule was set for. And what do you do with that other than contact the user? If the user says no and some hacker stole files, it is kind of like counting how many chickens you have left after the fox had visited. For defense against file theft, you have to created the good defenses from the outside in. You need some DLP tools to help prevent files leaving the coupe. And have good internal ACL controls and isolation of critical information sources. Because if you look at the penetration tools. included in/with Kali Linux, there are really no tools for accessing files. The core reason is if you get inside the hen house in root ways, no tools are needed but copy. There is the old joke of the dreaded right click attack when some is both an AD and WMware admin, you could steal all of AD with a right click and copy. Alot of all that is because in most orgs minds monitoring tools to. guard entry into the hen house is the same as internal controls. DLP seems like a nice thing to get too later. Once inside the hen house the fox only has to grab and run.

03.05.2025 The Art of Cyber Tech

There is one major difference between the hacker and the organization, hackers are very hands on and businesses want set and forget. The average CISO wants a handful of silver bullets where they pay a vendor to. man the watchtower watching for an attack. That remains the case even though most hacks into and organization go undiscovered. We separated ransomware other hacks because how each is conducted. But hacks, into a business are most often finding an unknown weakness. Before Log4J no security app scanned for that. There was no event being written to event logs (though most people don’t know how EDR’s work). Nonetheless, companies pay for solutions they want to turn on and wait for email alerts and notices from the vendor. Half of that is too many tasks and too little time, and, being UI junkies. And it takes time and effort to learn how things work under the covers, so wanting a tool to tell you there is an event comes with the issue. Cyber security is a lot about knowing what your treasure is; what hackers will try to steal, and what is abnormal-normal in your environment. And each environment is different. The security tools you can buy shoot to cover the most common things. In your company the weak links are not likely to be the common things, so, vendors solutions are less likely to cover you. I know it is a hard pill to swallow. No one wants such an open ended set of tasks. It is easier to tell ourselves we can pay some money and not have to worry about security. But the hands on is where the hackers live. They get into the weeds looking for a weakness and exploit it. And they use the same tools white hat admin use to redefine their hacks until it goes undetected.

03.03.2025 Blog 3 Scott Steenburgh

Sabotage in the Kingdom…..sometimes when tech people stay in the same company and role for too long, they start to feel a sense of ownership. They start to forget that they work for an organization, an organization that has goals and objectives. We get to a place where our own preferences seem to us to be the same as the organizations. Though that is rarely the case. But we tell ourselves what is right for me must be right for everyone, why else would I what I do if it was not right? Then is some cases a peer or someone in another department does something we disagree with, so we throw them under the bus. We willfully cause them to fail. All the while we believe that action does no harm to the organization. The loser broke our rules after all. Sometimes when I have seen this happen and it comes to light with the leadership, the tech admin are shocked negative reactions came back to them. And again this happens when we are in the same company doing the same role for too long. That builds complancancy. It becomes a loop where we say I must be right because I have been here 12 years. If I were wrong sabotaging someone, I would have been booted out a long time ago. Such behavior is hart to see and clearly see. That means organizations have to always build a team culture of what is good and what is bad behavior towards each other.

01.17.2024

Technology has since 2007, sped up to such a rate that some projects can be behind before they are completed. Given the reality of FY and budgeting, the approval cycle can last longer than it takes to start buying and deploying a solution. Then if we guess wrong on the technology, it cannot be easily undone. This has been happening often the last 5+ years. IT makes a choice and maybe the vendors sales team stretched the promise a little, then you realize the mistake. But, likely we have a 3 year deal (to make the budget work), and CIO/CISO are on the hook, so you live with it. In the meanwhile, the right solution keeps evolving. By the time we get to where the wrong choice can be replaced, everything has changed. The first thought to getting around this is to view the tech we use as part of the business processes. And the leadership team needs to buy into that. At the very least we all have to give the speed of technological a good deal of respect. We cannot think it is a basic tool, like a printer. It is not often that companies factor how fast tech changes. Perhaps we need to do that.