using the new noscript addon with firefox 57 (quantum)

Recently, Mozilla has been pushing out its new Firefox 57 aka Quantum. The main reason I still use Firefox as my primary browser is the ability to turn off all scripting with full control using NoScript (IE can’t really, and Chrome I don’t trust fully with it’s built-in allows for Google). So it was extremely jarring when one of my systems updated to Quantum and removed my ability to use NoScript. Turns out, NoScript needed to be rewritten from scratch in order to work in new Firefox versions, which apparently was a rude surprise for even the author. Since then, he’s been working to get the new version stood up and functional.

When NoScript got started again as a WebExtension, it lacked any sort of temporary permissions control, which I use constantly. Soon, it got a global “temporary allow all” which is not something I would even touch. Now, however, we do have more granular control on temporary permissions. Unfortunately, the UI isn’t very clear on what’s happening.

My Use-Case: I browse the webs with Firefox+NoScript. When starting a fresh browser install, I install NoScript immediately and remove all the defaults so that I trust nothing at all. Then I browse what I normally browse. As pages don’t load or functionality isn’t working, I’ll examine what is blocked by NoScript. I then make a judgement call on whether to permanently trust (i.e. allow a script to execute on that page) or temporarily allow it, which means only as long as my browser process is active. Tomorrow, temporary permissions will disappear and I’ll start all over again. Clearly, websites I visit often will have a few permanent allows, but by and large, I leave everything blocked that doesn’t interfere with my ability to consume a web site.

So, let’s get back to the UI. How do I do what I was doing for many years in the new NoScript UI? (WARNING: The add-on is currently in active development, and these screenshots and steps may become obsolete in weeks or days. The version I’m referencing here is 10.1.5.5.)

Here’s what I see on ESPN.com:

And here’s a view after I change a few things:

So, what do I do with my typical use-case now? I browse to a site and see it’s not displaying properly. I click the NoScript addon icon (or ALT+Shift+N) to open the drop-down window with all sorts of scripts that want to execute. I click the blue “S” next to one I want to allow. This defaults to temporary allow, and whichever HTTP/HTTPS protocol it pertains to. If the site switches to HTTPS, I’ll need to do this again. If I see a bunch of subdomains under a domain that I trust, I’ll make my choice next to the entry that starts with a “…”. This latter situation is good to use with CDNs which can come from one of many subdomains.

Typically, I choose one script to allow, let the page reload, and keep repeating until I’m either satisfied with how the page looks/works, or I’ve exceeded my level of personal risk with the scripts I’m loading. Sometimes, I see 50 scripts that want to run and just decide the content is not worth wrestling with scripts to get it to work (often video embeds will be quite the hunt to get to work).

This sounds like I might be complaining about my cheese being moved. And partly I am. But, let’s face it, the change is needed and we’ll end up with even more granular control over script execution with this new NoScript version with features I’ve not even touched in this post. If anything, I’m annoyed with Mozilla for putting users like me in this situation where, for several weeks, I effectively was browsing the web with my pants down or not browsing it at all.

2017 goals in review

Late last year and into this year I made some training and professional goals for myself. I thought I had posted about them, but turns I didn’t really post those tidbits (I have a whole host of things in my own notes), but I figured I would provide an update on what I did in 2017 in regards to those goals.

I spent about 2 months preparing for the PWK/OSCP lab and exam pairing, and over 3 more months in the course lab, and passed that exam. Probably one of the most satisfying things I’ve accomplished in my career. Really, anything I say about it and what it means to me is an understatement.

Through the summer months, I was bogged down a bit with a job that I have just since decided to move on from (I have a week off this week!), and I had really set aside more time for a possible OSCP re-take. Failing a first attempt on that exam is not an uncommon, but this did leave me with some extra time for the year.

I also had told myself I should check off another Offensive Security course and cert pair: WiFu/OSWP. I can happily say that I signed up for this course just over a week ago, and this week passed the exam. It’s definitely something I wanted to get done in 2017, and having a week or two off has given me the time to focus on it.

I spent significant time taking some courses on Linux Academy, namely reviewing the Linux Essentials course and RHCSA prep course. I’ve used Linux at home for many years, but have never really had any true formal study in Linux, so this has been nice to fill in some gaps in my knowledge. The Essentials course is mostly review for me, but I have learned a few things. The RHCSA cert itself is not something I will pursue (since my title does not include Linux in it), but I do find it useful to have that level of aptitude and workability in Linux. I started this course as part of an obligation to my employer, and since I’m changing jobs, I’ve put this one more into casual studying over the past few months. This is one of those nice items where my own personal goal fit with my job duties and training requirements.

Among other less tangible goals, I’ve made progress in building out my home lab this year based around ESX running on an Intel NUC. As with any lab, it still needs plenty work, and that will roll into 2018. I’ve also built the habit of attending local security meet-ups, namely SecDSM, through the year. And I’ve also gotten my hands on a few extra old laptops that I can use for additional exposure to non-Kali pen testing platforms.

Job-wise, this was a really big year. This marks the second full year for me being a true full-time security professional. Through the rest of my career, security has always been a part of my duties, but I was still always a sysadmin first and a security admin second (for those who have had that sort of hybrid role, you know what I mean). Last year and this year have been good in this regard; it really does make a world of difference to be able to devote serious time to improving security rather than constantly getting interrupted with small and large operational tasks.

All told, it’s been a transition year for me, and a very good one on almost every front. And while I have some individual accomplishments in the bag, my biggest takeaway has been just being conscious of my career direction, my learning habits, and my continued training. I slacked off over the past several years, and getting back on track has been a huge deal to me and my happiness and enthusiasm.

the wifu/oswp experience and alternatives

Just over a week ago I signed up for the Offensive Security WiFu/OSCP course and exam. This week I took and passed the exam. Much like the OSCP exam, this is a hands-on practical exam whose goal is to break into several wireless networks.

What sort of material does it cover? Well, there is a syllabus posted. But breaking it down, about a third of the material is about the 802.11 wireless spec, plus some tips on hardware and setting up wireless in BackTrack 5. Another third covers cracking WEP encryption with various attacks. Another roughly 20% covers WPA/WPA2 PSK cracking (old, insecure setups). The last roughly 15% covers graphing tools for wireless recon and MITM/client attacks using airbase-ng, airserv-ng, airtun-ng, and karmetasploit.

Is the course dated? Well, yes. But learning the basics is the first step to learning the harder stuff. And keep in mind, back in the early to mid-2000s, it was ridiculously exciting to see wifi hotspots popping up everywhere and start cracking insecure WEP and WPA configurations, all with the backdrop of grey, largely undefined laws regarding wifi shenanigans. That said, I do wish it covered more stuff or had an advanced version of the course to cover bluetooth, SDRs, mobile devices (to an extent), pineapples, and other fake AP/client shenanigans. But, I do understand there are severe channelges to the labs to accomplish all of that.

If it’s dated, is it worth the money? That’s always going to be a personal decision.

Can the same material be found elsewhere for less overall cost? Of course! And in lieu of actually purchasing the course, here are sources that should hold the same knowledge as presented in the course (and so much more!) for less monetary cost.

802.11 Wireless Networks (O’Reilly blue bats book) acts as the best technical reference for wifi. Incidentally, a new edition is due in 2018. The first third of WiFu is the briefest of summaries about the 802.11 spec.

Hacking Exposed: Wireless (Wright/Cache) is a complete book for wireless weaknesses and attacks, and will cover Bluetooth and SDRs. It’s not going to walk someone through every single issue, but will fuel google searches for more complete tutorials on pretty much everything.

Penetration Testing: A Hands-On Introduction to Hacking (Weidman). Weidman’s book devotes only a small chapter to wireless hacking, but it covers the bulk of what WiFu covers: WEP and WPA auth and key recovery.

Aircrack-ng tools wiki/documentation. The WiFu material reads pretty closely to the documentation of these tools, and will cover things like airserv-ng and airtun-ng.

Metasploit Unleased is a free course hosted by Offensive Security, and has a section devoted to a tool that I don’t think is covered by any of the above sources: Karmetasploit.

All of the above should cost less than the course, but provide just as much information and far beyond as well. (Which does translate into needing to spend more time doing and more time reading many more pages.) There are also undoubtedly plenty of related videos and how-tos over the years for these topics as well posted in various free and less-free sites.

traveling tips and notes from a cyber warrior

I’ve not had too much cause to travel all that much, but enough to know that these tips are pretty complete and excellent: The Infosec Introvert Travel Blog. For the most part, traveling is still often a personal matter; do what you feel you’re comfortable and secure with doing. Be safe, be happy, and find some measure of enjoyment, even if it’s just reading a book in the hotel bar.