The Road to Eagle | Phase Two: Fences, Welding, & Machining

2018-05-14 09:09:30 -0400

Following up from here, I’m now happy to report that the final phases of the project are complete!

The Fence

Repair

In a slight deviation from the earlier plan, we managed to discover during the operation the missing piece to the back fence. With that in mind, a skilled welder & fellow scout in T577 offered his servicess to repair the fence. You can find some great video coverage of that repair here.

Painting

After waiting some time for the weather to finally clear up, I got a chance to finally take my family and a friend the team back there and paint the fence. Only took a single coat and two hours. Paint gloves made the job much easier.

The Sign

After some online research and consulting with the Centreville Robotics & Engineering Department, I settled on a material and sign. 6061-T4, .061[1/32] in (Grade, Heat rating, thickness) with a dark bronze anodiztion (honestly looks more black than bronze).

![The Sign mounted on the CNC]{:data-src=’/assets/images/IMG_3002.JPG’class=’lozad’}

We tried to CNC it with a 1/16th inch end-mill, however, it decided to break on us twice. A switch to a 1/8 tapered ball nose saved the day, after a 1.5 hour rerun of the cut.

![Finished Product, with the text “CROUCH FAMILY \n CEMETERY” engraved]{:data-src=’/assets/images/IMG_3002.JPG’class=’lozad’}

The design was self-created in Autodesk Invetor 2018. The design will be posted online shortly.

The mounting is planned for later this week, as I still have to drill through the metal to run a chain through it.

Paperwork

Other than that, the documentation is submitted and I’m scheduling my conference now. It’s been a long but worthwhile run. A final update is to follow shortly.

HS Freshman Selected for First-Ever NetSec Focus Project of the Month Winner

2018-05-02 11:57:38 -0400

NetSec Focus

As announced (not as a joke) on April 1st

Introducing the Project of the Month Did you create something good? Achieve something? Find a vulnerability? Bag an internship? Tie your own shoelaces? Not wet the bed? Are you receiving the appropriate amount of recognition for your accomplishment or just want to show off? Project of the Month could be right up your strasse. On the 8th of April submissions for project of the month will open. Now is the time to brag about what you’ve done. Don’t be shy, success begets success. Submissions will close on the 22nd and voting begin ready for an announcement of the Project of the Month on the 30th April. There may be prizes but they will need to be tailored to the project and won’t likely allow you to retire any time soon (think sub-$30). All projects will be showcased; the winner and runners up will receive glory in abundance. Start thinking about what you want to want to show off, for this first month we will consider projects done from January 2018 to date. Further information will be released soon. If you have any immediate questions you can reply to my link to this message in ~General here https://mm.netsecfocus.com/nsf/pl/ipyxk5opkibkugwxxndzg8ooah

After 55 votes, the results were in… thanks to everyone who voted for CVE-2018-7213!

Announcement Post

[UPDATED] Followup Publication to CVE-2018-7213 | Abine Blur | GMU

2018-03-28 14:38:51 -0400

Update 2018-04-05

In a recent turn of events, a post has been made by @FCPS_NEWS on twitter about the discovery:

Another Publication!

In recent news, I’ve had the oppertunity to appear on the Volgenau School of Engineering’s Blog for my first CVE discovery!

Presentation! | CVE-2018-7213 | Abine Blur

2018-03-12 11:20:57 -0400

Prelude

I had the chance this weekend by invitation (coordinated by GTA Jay Gala) to present to the Network Forensics course at the Volgenau School of Engineering, George Mason University. Bob Osgood, MS Director of the Digital Forensics & Cyber Analysis Program, is the professor for the course.

CVE Presentation

Below is a copy of my presentation. Please use the email on the slides or any of the other means listed on my blog page to contact me with questions.

Slidedeck

If the following doesn’t load, please go here

Advisory for CVE-2018-7213 | Abine Blur Web Extension

2018-03-10 15:08:31 -0500

CVE Project Overview

Skip this section if you already understand the CVE Project.

(Source: https://cve.mitre.org/about/index.html)

Common Vulnerabilities and Exposures (CVE®) is a list of common identifiers for publicly known cybersecurity vulnerabilities.

Use of CVE Entries, which are assigned by CVE Numbering Authorities (CNAs) from around the world, ensures confidence among parties when used to discuss or share information about a unique software or firmware vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.

CVE is:

  • One identifier for one vulnerability or exposure
  • One standardized description for each vulnerability or exposure
  • A dictionary rather than a database
  • How disparate databases and tools can “speak” the same language
  • The way to interoperability and better security coverage
  • A basis for evaluation among services, tools, and databases
  • Free for public download and use
  • Industry-endorsed via the CVE Numbering Authorities, CVE Board, and numerous products and services that include CVE

Why CVE

With & Without CVE

CVE was launched in 1999 when most cybersecurity tools used their own databases with their own names for security vulnerabilities. At that time there was significant variation among products and no easy way to determine when the different databases were referring to the same problem. The consequences were potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor used different metrics to state the number of vulnerabilities or exposures they detected, which meant there was no standardized basis for evaluation among the tools.

CVE’s common, standardized identifiers provided the solution to these problems.

CVE is now the industry standard for vulnerability and exposure identifiers. CVE Entries — also called “CVEs,” “CVE IDs,” and “CVE numbers” by the community — provide reference points for data exchange so that cybersecurity products and services can speak with each other. CVE Entries also provides a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.

CVE ID number

(i.e., “CVE-1999-0067”, “CVE-2014-10001”, “CVE-2014-100001”).

The CVE Contains:

A brief Description of the security vulnerability or exposure. Any pertinent References (i.e., vulnerability reports and advisories).

The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), the CNA writes the Description and adds References, and then the completed CVE Entry is added to the CVE List and posted on the CVE website by the CVE Team.

Topic: Abine Blur Password Manager Insecure Permissions

  • Category: Abine Blur
  • Module: Blur Web Extension
  • Announced: 2018-03-10
  • Credits: RS Tyler Schroder
  • Affects: 7.8.242*
  • Corrected: 2018-02-28
  • CVE Name: CVE-2018-7213

I. Background

Abine Blur is a password management suite combined with online anonymity tools

II. Problem Description

CVE Description

The Password Manager Extension in Abine Blur 7.8.242* allows attackers to bypass the Multi-Factor Authentication and macOS disk-encryption protection mechanisms, and consequently exfiltrate secured data.

Technical

Abine Blur 7.8.242* failed to secure the right-click context menu, allowing an attacker with either physical access or remote-desktop access to disclose passwords, emails, and usernames of the victim without triggering a second-factor request.

III. Impact

Access to secured data can lead to secure information exfiltration, a 2FA bypass, and a further undisclosed MacOS(x) disk encryption console bypass (to access secured Abine Blur data).

IV. Workaround

No workaround, as the vendor has issued a patch.

V. Solution

Update your browser plug-in per your browser vendor’s instructions. Firefox 5x.xx and Chrome 63.x are known to automaticlly update to the latest version.

VI. Timeline of Events

  • 2018-02-13: Discovery of Vulnerability
  • 2018-02-13: Vendor Contacted
  • 2018-02-14: CERT/CC activated for vendor PGP coordination
  • 2018-02-14: Vendor responds (PGP)
  • 2018-02-15: CERT/CC [VU#714299] unable to assist further
  • 2018-02-16: MITRE Contacted for CVE
  • 2018-02-17: MITRE Confirms & Issues CVE (CVE-2018-7213)
  • 2018-02-28: Patch Issued
  • 2018-03-10: Public Disclosure.

The Road to Eagle | Phase One: Trees, Cemeteries, Fire Departments, and more Trees

2018-03-03 15:08:31 -0500

About the Project

For my Eagle Scout Project, I’m restoring an old cemetery just near the Union Mill Rd and Compton Rd intersection [about 200ft beyond 6940 Union Mill Road, Clifton, VA 20124].

History of the Cemetery

The cemetery I’m restoring belongs to the to the Crouch Family of Clifton, Virginia. This is the same Crouch Family who helped found start the first school in the town in the year 1874, just 13 years after the town’s inception. The cemetery is beleieved to have been started between 1874 and the late 1930’s, before embalming was widespread for burials.

Discovery

The site was acutally discovered back in early 2017 when my next-door neighbor told us about the property. As we discovered later (and you can see for yourself below), it’s a wonder he even saw the site 50ft out from the roadside.

A photo of a very overgrown cemetery, with a single field-stone visible in the center. Many logs are around it

Tree Problems

Like any Eagle Project however, it’s not a completly smooth road to success (otherwise, what’s the point?). There was a nice, large (upwards of 20ft), rotten dead ash tree in the middle of the property.

A large, tall 20ft dead ash tree

However, that was easily overcame thanks to modern technology

A member of JL's Tree Service cutting down the previously mentioned tree

JL’s Tree Service managed to come in (for a very good rate as well) and remove that roadblock.

Additional Thanks

Additionally, a kind neighbor in our community who was looking for firewood sources was able to lend his time and skillset to help me cut up the logs on the property, and reduce even further the pile that JL created from the Ash Tree. His abilities allowed us to make definite headway on the project. We were now in this state below:

A small pile of logs in the middle of the cemetery

Phase One – Cleanup

Adding to the track of possible problems, this project phase landed conviently in the middle of the Eastern Windstorm, with wind-gusts going upwards of 70MPH in select areas. Thankfully, only one more tree came down, and it was outside of the cemetery.

Surpise Visit

One larger scare in the early morning was that we found a downed (assumed to be power) cable across the only access road to the property. I’d assumed that NOVEC’s StormCenter wasn’t enough, and (per some directions issued on nextdoor) placed a call to the non-emergent line at the Sully Station. I’ll be honest in saying that I did laugh when they sent an enitre fire engine out to move a single cable, but they came rather fast and took care of the issue before the rest of the volunteers arrived.

A picture of a firetruck in the far distance, engine ID 417

(My Girlfriend stated I’m not allowed to start conversations with her by mentioning that we only had the fire department out there once :p).

Back on Track

With that out of the way, we were able to move on to the actual clearing of the property. Thankfully, my Unit Eagle Coach (UEC) works for a landscaping company, and was able to bring some specialized (gas-powered) hedge shears that cleared the prickler bushes with ease.

My Unit Eagle Coach carrying the Hedge Shears

I diveded up the property into four “quandrants” (As best I could make with the irregular property) and started with the right two. As this was ongoing, some crews started sanding the fence to be painted (at a later date).

Clearing

As noted previousy, we cleared the propery first, and then raked up afterwards. This minizmied the amount of moving bodies when we had high-power tools out and about. One element that assisted with the clearing was using tarps to haul out large quanities of waste quickly.

Three workers using a tarp to haul materials out of the property

After a tarp was filled, we took it to the “curbside” of the road, and filled two trailers with waste to get the most amount transported to the dump (and minizme on cost, as it was a $10-per-run fee).

Attaching a trailer to a car

Sanding

Another obstacle was the fence. Over the many years it’s been in place, it’s thouroghly rusted over at this point. (An important thing to note is that we weren’t going to strip the rust compltely, that would’ve been a waste of time) With a crew armed with drills (with wire-brush attachments), sandpaper (150 grit did wonders), and wire brushes, they set out and tackled the entire fence over four hours of constant sanding.

A team sanding the fence

Trees redux

Of course, the trees didn’t leave us alone. There were plenty of smaller trees to tackle, and one-by-one our crew took them down.

Final Picture

At the end of stage one, we had a beautful (as a cemetery can be) cemetery once again.

Final Picture

Looking Forward

This journey isn’t over yet though. Coming up next is

  • Painting the fence
  • Ordering/Affixing the Site Sign
  • Aministrative Paperwork…

(To be updated in a later post. Please check back soon!)

Skiing Awareness | Or Why You Never Go It Alone

2018-01-28 10:04:23 -0500

Recently, I had the chance to head on a skiing adventure with a local Boy Scout troop. One of the lessons they teach early on is the use of the buddy system (TL;DR Always have someone with you, especially during high-risk activities).

So In theory

In theory, this basic principle allows for improved safety, and the two may be able to prevent the other becoming a casualty, or rescue the other in a crisis. In Alpine conditions, where rescue could be delayed for a prolonged time, this system is critical to ensuring participant safety.

What Actually Hapens

When participants aren’t careful (think younger age groups), they end up splitting up. Groups want to do different things, they have people skiing at different ability levels and speeds, and forgetfulness often tries to negate the benefits.

How this came into play

I had spent the early morning skiing with my buddy (both of us with similar skill and speed), when we approached a S-turn where the Salamander (“Green”, Beginnger)trail merges with Off the Wall (“Double Black, Hardest) this S turn is where the Salamander ("Green", Beginnger)trail merges with Off the Wall ("Double Black, Hard) At that turn was a solo skier, who took the turn, but made three critical mistakes.

  • Turned Too Fast: this turn is much tighter than the map leads to be, requiring skiers to slow down to turn properly.
  • Improper Turn: the skier wasn’t fully aware about their abilities, and while at high speed, tried to turn, but ended up crossing their skis in the process, throwing them off balance.
  • Improper Fall: this article goes into better detail about the correct way to fall (forwards), rather than sideways onto the side of the slope (and their body).

Buddy System to the Rescue

When this skier went down, my buddy and I both stopped to see what we could do. When I determined the injury was severe enough to warrant additional help, I was able to have my buddy go for help, while I stayed with the victim. We were never able to locate the solo skier’s buddy, even though they claimed to have two with them.

Aftermath & Lessons Learned

Eventually, ski patrol arrived, and were able to transport to the base of the mountain. A field diagnostic returned a possible Tibia fracture/break (much worse than the twisted ankle that was originally though).

The second man with me was critical to getting the skier off the mountain in time. By being able to stay with the skier, it was possible to prevent someone from running them over and/or additional damage to be caused, while still having help arrive on-scene in a timely manner. So don’t go it alone, bring a second with you. It may very well help save someone else, or even you.

Aliquam

2016-08-25 00:00:00 -0400

Donec eget ex magna. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fergiat. Pellentesque in mi eu massa lacinia malesuada et a elit. Donec urna ex, lacinia in purus ac, pretium pulvinar mauris. Curabitur sapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis dapibus rutrum facilisis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam tristique libero eu nibh porttitor fermentum. Nullam venenatis erat id vehicula viverra. Nunc ultrices eros ut ultricies condimentum. Mauris risus lacus, blandit sit amet venenatis non, bibendum vitae dolor. Nunc lorem mauris, fringilla in aliquam at, euismod in lectus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. In non lorem sit amet elit placerat maximus. Pellentesque aliquam maximus risus, vel sed vehicula.

Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fersapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit tristique lorem ipsum dolor.

Tempus

2016-08-24 00:00:00 -0400

Donec eget ex magna. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fergiat. Pellentesque in mi eu massa lacinia malesuada et a elit. Donec urna ex, lacinia in purus ac, pretium pulvinar mauris. Curabitur sapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis dapibus rutrum facilisis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam tristique libero eu nibh porttitor fermentum. Nullam venenatis erat id vehicula viverra. Nunc ultrices eros ut ultricies condimentum. Mauris risus lacus, blandit sit amet venenatis non, bibendum vitae dolor. Nunc lorem mauris, fringilla in aliquam at, euismod in lectus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. In non lorem sit amet elit placerat maximus. Pellentesque aliquam maximus risus, vel sed vehicula.

Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fersapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit tristique lorem ipsum dolor.

Magna

2016-08-23 00:00:00 -0400

test image

Donec eget ex magna. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fergiat. Pellentesque in mi eu massa lacinia malesuada et a elit. Donec urna ex, lacinia in purus ac, pretium pulvinar mauris. Curabitur sapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis dapibus rutrum facilisis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam tristique libero eu nibh porttitor fermentum. Nullam venenatis erat id vehicula viverra. Nunc ultrices eros ut ultricies condimentum. Mauris risus lacus, blandit sit amet venenatis non, bibendum vitae dolor. Nunc lorem mauris, fringilla in aliquam at, euismod in lectus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. In non lorem sit amet elit placerat maximus. Pellentesque aliquam maximus risus, vel sed vehicula.

Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fersapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit tristique lorem ipsum dolor.

Ipsum

2016-08-22 00:00:00 -0400

Donec eget ex magna. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fergiat. Pellentesque in mi eu massa lacinia malesuada et a elit. Donec urna ex, lacinia in purus ac, pretium pulvinar mauris. Curabitur sapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis dapibus rutrum facilisis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam tristique libero eu nibh porttitor fermentum. Nullam venenatis erat id vehicula viverra. Nunc ultrices eros ut ultricies condimentum. Mauris risus lacus, blandit sit amet venenatis non, bibendum vitae dolor. Nunc lorem mauris, fringilla in aliquam at, euismod in lectus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. In non lorem sit amet elit placerat maximus. Pellentesque aliquam maximus risus, vel sed vehicula.

Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fersapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit tristique lorem ipsum dolor.

Consequat

2016-08-21 00:00:00 -0400

Donec eget ex magna. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fergiat. Pellentesque in mi eu massa lacinia malesuada et a elit. Donec urna ex, lacinia in purus ac, pretium pulvinar mauris. Curabitur sapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis dapibus rutrum facilisis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam tristique libero eu nibh porttitor fermentum. Nullam venenatis erat id vehicula viverra. Nunc ultrices eros ut ultricies condimentum. Mauris risus lacus, blandit sit amet venenatis non, bibendum vitae dolor. Nunc lorem mauris, fringilla in aliquam at, euismod in lectus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. In non lorem sit amet elit placerat maximus. Pellentesque aliquam maximus risus, vel sed vehicula.

Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fersapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit tristique lorem ipsum dolor.

Etiam

2016-08-20 00:00:00 -0400

Donec eget ex magna. Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fergiat. Pellentesque in mi eu massa lacinia malesuada et a elit. Donec urna ex, lacinia in purus ac, pretium pulvinar mauris. Curabitur sapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit.

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Duis dapibus rutrum facilisis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Etiam tristique libero eu nibh porttitor fermentum. Nullam venenatis erat id vehicula viverra. Nunc ultrices eros ut ultricies condimentum. Mauris risus lacus, blandit sit amet venenatis non, bibendum vitae dolor. Nunc lorem mauris, fringilla in aliquam at, euismod in lectus. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. In non lorem sit amet elit placerat maximus. Pellentesque aliquam maximus risus, vel sed vehicula.

Interdum et malesuada fames ac ante ipsum primis in faucibus. Pellentesque venenatis dolor imperdiet dolor mattis sagittis. Praesent rutrum sem diam, vitae egestas enim auctor sit amet. Pellentesque leo mauris, consectetur id ipsum sit amet, fersapien risus, commodo eget turpis at, elementum convallis elit. Pellentesque enim turpis, hendrerit tristique lorem ipsum dolor.

Phone

(703) 214-4670

Address

Clifton, VA 20124
United States of America