Archive for the ‘training’ Category
Monday, February 1st, 2010
In this case, I’ll be arguing:
The easier it gets to write code(scripting, really), the sloppier it gets and the more insecure it gets.
We can see this because of the prevalence of sql injection, cross site scripting and error handling in the ever expanding catalog of new sites appearing on the internet.
I cite this from personal experience. As of late people seem to care more and more for ‘how pretty it is’ and less about what actually happens behind the scenes. I’m reminded of the 90s when video games were stuck in 256 color 320×240, with bleeps and bloops for sound – if you didn’t have a good story people wouldn’t buy your game. Now things are different. All people seem to care about are the graphics, and the story, music, and gameplay is all phoned-in.
These days I see new tools and applications online that in most cases make me shudder. A friend of mine, @quine noticed something – the android foursquare application communicates unencrypted, using apache’s ‘basic’ authentication.
(more…)
Tags: 4sq, 4square, android, apache, auth, basic, foursquare, g1, iphone, packet, sniffing, zipline
Posted in insight, review, technology, training | 1 Comment »
Saturday, June 27th, 2009
I talk shop a lot. I talk to people who are security concious, I talk to people who aren’t, and I talk to people who think that ’security’ means evil hackers from russia who are going to steal their credit cards. Think of security this way:
You run a shop. In this shop you sell things. Some things are physical, and some things are purely informational. In this store you run, do you put the combination to your back safe on a post it note on the cash register? Do you leave the keys to the front door out where the customers can get at them? Do you lock the safe and doors when you leave? Are there security cameras? Will you know if something gets stolen, or if someone is shoplifting, or if an employee is embezzling? These concepts are exactly the same, and sometimes when it comes to data, they’re far far more important. Data controls all of our financial transactions, for example. Data controls how we do most of our buisness these days. Who *DOESNT* use data for business transactions, banking information – or keeping secret data secret?
I keep saying to folks who I talk shop with: “Security isn’t what you think it is”. This is a perfect example. Tiny flaws in ones security strategy, or even lack of any security can lead to an attacker (or law enforcement or a private investigator) being able to glean information to further their purposes.
(more…)
Tags: cyber, detective, digital, recon, reconnaissance
Posted in insight, review, training | No Comments »
Thursday, January 1st, 2009
I thought that doing security101 at places like oggis may have been a tactical mistake because I want people to actually learn and benefit from some of this stuff, so having the discussion broken by the wait staff frequently simply murdered all the momentum the discussion had and the event turned into a hacking 101 lab where I just demonstrated attacks.
That being the case doing a security101 class in an actual classroom environment where I can have the attendees comfortable and perhaps even have a projector would likely be far far better. Phelan was gracious enough to let me usurp the january installment of refreshsd to give my security101 talk in a more meaningful and more formal environment. Refresh this month is on the 13th – see refreshsd.org for details, or see the meetup group.
Here is my proposed curriculum:
Basic networking
- How do computers talk?
- what is a packet?
- whats IN a packet?
clear text versus encryption (http, ftp, dns)
how websites pass information around
How to tell if the site you’re on is passing your information encrypted or not.
Some network voodoo – watching the stream
-driftnet
-dsniff
-watching dns queries
(the next three may or may not be permitted depending on qualcomms network configuration)
basic man in the middle example
faking ssl certs
changing dns
Hope to see you all there!
Tags: 101, class, course, hacking, refresh, refreshsd, san diego, sd, sec101, security, security101, teaching
Posted in insight, training | No Comments »
Tuesday, December 9th, 2008
Again I find myself in a postion where I am in need of full time work. I was able to sustain myself as a full time freelancer for 8 months (not too shabby!), but now it seems the market is drying up and while not for a lack of effort on my part to find sales people or to promote myself by basically bribing people with a 10% commission I’ve not been able to get enough business to sustain myself any longer. I’ll not go into any of the nasty business of clients who decided they didn’t feel like paying me, or clients that had me draw up proposals only to vanish into the ether – because this post is about fun stuff!
All that being said – I like to be clever. I like to use ingenuity to do basically what everyone else does but put a fancy little twist on it. Historically when someone is looking for a job, they will hit some job search sites like monster and dice and then send their resume to people – never knowing if it gets seen with human eyes, or ever gets any attention. Who knows? Does your resume even get read? If it does, how soon? Wouldnt it be nice to see the time correlation between when you sent your resume to someone and when they actually looked at it – or even if they looked at it at all?
(more…)
Tags: apache, grep, grepping, howto, information, log, reporting, reports, visibility
Posted in insight, training | No Comments »
Wednesday, November 26th, 2008
So security101 went fairly well – people didn’t show up until later, and I had spent too much time screwing aroung with ettercap and MITM attacks to have enough battery to complete the entirety of the talk with all the examples I had hoped for.
Some of the attendees ended up asking lots of questions so the ‘flow’ I had envisioned sort of went out the window – but I’d much rather have people interested and actively asking me questions: It shows interest. I’d rather have interest then have them all silent while I blather on and on.
We all ended up at my place afterwards and I was giving short demos on MITM dns tomfoolery, rewriting all queries for microsoft.com to linux.com, and doing SSL MITM attacks against hotmail using ettercap. Pretty fun stuff!
I’ll be holding the class again for anybody that missed it the first time and wants to have it again, but I haven’t chosen a date yet.
If you’re interested in a date, please leave a comment! I’d like to hold the class when more people can attend.
Tags: postmorem, sec101, security101, training
Posted in insight, rants, review, speculation, training | No Comments »
Tuesday, November 25th, 2008
Tonight I’ll be hosting a free Security 101 session at Oggis in Mission Valley.
Here is a brief list of subjects I intend to touch on:
- Networking and host/laptop/workstation configurations, and tools
- Local Firewalls
- Running Services
- Apps to manage inbound and outbound traffic
- Transmitting data: encrypted versus clear text
- Differences between WPA and WEP
- .. and some live examples!
Hope to see everyone there!
Tags: san diego, sec101, security, security101, training
Posted in training | No Comments »