halesec

Cloud. Security. Dogs.
Not necessarily in that order.
PGP: 0xC0EE29073A219F19

View My GitHub Profile

Deploying WireGuard on AWS with Terraform

I like having a VPN available to me for personal use when I’m traveling. Since I don’t at all trust any paid or free VPN service, I run my own in AWS for general privacy and security, as well as one at home to access my infrastructure there, as needed.

WireGuard is new-ish on the VPN scene which is dominated by the likes of IPSec and OpenVPN. I wanted to write a Terraform module to deploy it on AWS.

read more

Securely managing 2FA secrets

As much as I can, I tend to MFA all the things. Even if the account isn’t particularly sensitive, if it supports MFA and my name or any personal details are attached to it, it gets MFA enabled. This leaves me with a lot of 2FA shared secrets that need to be stored securely.

I, like most, started out by using Google Authenticator to generate 2FA codes. It served the purpose, but there was one time where my phone got reset and I lost all of my 2FA codes. That sucked. There is no native way to back up or export shared secrets from Google Authenticator, so there wasn’t an obvious mitigation strategy to be had.

Clearly, I needed a more resilient way to do this. I’ve iterated through a couple of solutions, and this is what I’ve landed on.

read more

Preparing for DEF CON

As so many in the infosec space are getting ready to depart for summer camp in Las Vegas, I’m starting to gear up for my first DEF CON experience.

There are many conflicting schools of thought on what sort of tech you should bring with you, from the uber-paranoid “bring nothing at all” to the lackadaisical thinking of treating it like any other event and bring what you want.

This is my first DEF CON, so I’m not really sure what exactly to expect and what advice is rooted in reality and what is merely FUD. To that end, I’m trying to strike a decent balance between the two.

read more

My Shmoocon Retrospective

Back to reality after Shmoocon 2018, which was easily the best con that I’ve been to so far. I got more out of Day 1 of Shmoocon than I did out of entire week of some certain other large cloud-y conferences. Granted, this was my very first con in the InfoSec space, so that may have had something to do with it, but overall, I loved the format, the talks, the people, and the extracurricular activities (CTF, Lockpick Village, etc). I loved it so much that I wanted to do an incredibly disjointed write-up on my experience. Enjoy!

read more

The Great Home Lab Rebuild -- Part 1: Storage

I returned from AWS re:Invent 2017, opened closet door that houses my home lab gear and heard that sound. You know the sound. Time to take action. So, do I buy another drive to keep the PC or NAS (I wasn’t sure which at this point), or do I rebuild the whole thing?

Well, since all of my lab gear was pushing 10 years, and a blog post about a drive swap would be boring AF, you can guess where we’re going…

The Great Home Lab Rebuild!

read more

Configuring AWS CLI access with MFA

When protecting important resources online these days, MFA is a must. Bank accounts, utilities, e-mail accounts, etc.

Protecting your account on your infrastructure provider should be no different. Especially considering not doing so can cause you great financial pain if someone deletes your critical resources, exfiltrates your data or spins up their own Bitcoin mining operation, at your expense.

AWS’ IAM, thankfully, has supported MFA for user accounts for quite some time now. Users can log into their accounts, register their virtual MFA token (Google Authenticator or what have you) and you’re off and running.

read more

Building your own DNS proxy, part 2: Writing the code

In my first post about building your own DNS “smart” proxy, I touched on the basics of how a smart DNS proxy works, how to build a basic version on a cloud provider and the paid alternatives that are out there. In this post, we’ll take that knowledge and productionalize, operationalize or whatever buzzword you want to use to refer to it as “not sucking”.

read more

Building your own DNS proxy, part 1: The basics

Over the past year, I have explored various DNS “smart” proxy services to use in a couple of my environments. The experience with some of these paid services, like Unblock.us and Unlocator, left a lot to be desired, so I decided to set out and build my own.

read more