tag:blogger.com,1999:blog-20596199269662669612024-03-21T21:11:45.459-07:00Penetration Testing ~ InfoSec ~ SANS Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.comBlogger47125tag:blogger.com,1999:blog-2059619926966266961.post-50772249793617032102019-05-20T23:09:00.004-07:002019-05-20T23:10:02.119-07:00Changes to Blogger Platform<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">It looks like Google's Blogger platform is being deprecated (at least some parts of it); I plan to shift to another option perhaps at some point in the future. </span>Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-88086270649356311602019-03-28T20:44:00.000-07:002019-03-28T20:44:17.906-07:00Update<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">My last blog post was in November of 2018 at which time I mentioned I was taking a hiatus from writing this blog, the reason for this decision was to dedicate extra cycles to writing a book instead!</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">My </span><span style="font-family: "Helvetica Neue", Arial, Helvetica, sans-serif;">first book, s</span><span style="font-family: "Helvetica Neue", Arial, Helvetica, sans-serif;">cheduled to be released in June of 2019 is: </span><br />
<span style="font-family: "Helvetica Neue", Arial, Helvetica, sans-serif;"><br /></span>
<div style="text-align: center;">
<span style="font-family: "Helvetica Neue", Arial, Helvetica, sans-serif;"><span style="font-size: x-large;">The Penetration Tester's </span></span></div>
<div style="text-align: center;">
<span style="font-family: "Helvetica Neue", Arial, Helvetica, sans-serif;"><span style="font-size: x-large;">Guide to Web Applications</span></span></div>
<span style="font-family: "Helvetica Neue", Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue", Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: "Helvetica Neue", Arial, Helvetica, sans-serif;"><a href="https://us.artechhouse.com/cw_contributorinfo.aspx?ContribID=2015&Name=Serge+Borso">The book</a> is currently in the process of copy editing and was a massive undertaking and challenge. More to come. </span><br />
<br />
<br />Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-7683821240942688402018-11-30T00:30:00.002-08:002018-11-30T00:30:48.231-08:00Blog HiatusTaking a Hiatus to write a more professional publication. Expect an update in late Q1 2019 or early Q2 2019. Signing out for now.Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-1557504755858646682018-08-31T16:31:00.000-07:002018-08-31T16:31:12.185-07:00SANS DEV522 September 2018 - New York, NY<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">New York! SANS DEV522 - Defending Web Applications Security Essentials is coming soon...</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Class begins on September 17, 2018 (Monday through Saturday) when we will learn all about defending web applications while preparing for the GIAC GWEB (Certified Web Application DEFENDER) certification.</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsmZ1pEoZBHEztudNOVaqzIkOttlB0sQgFD3eqZsPBDqT7zdySvoSpF1yjEEjoRhtAKBvDjfScyi3rYD4OIfIOxdbSEdZkBKzGpPcmsJYgBIjpEWOcaad3uDdE62dHBLvxTTWGg3x2Mbf2/s1600/gweb-gold.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><img border="0" data-original-height="200" data-original-width="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsmZ1pEoZBHEztudNOVaqzIkOttlB0sQgFD3eqZsPBDqT7zdySvoSpF1yjEEjoRhtAKBvDjfScyi3rYD4OIfIOxdbSEdZkBKzGpPcmsJYgBIjpEWOcaad3uDdE62dHBLvxTTWGg3x2Mbf2/s1600/gweb-gold.png" /></span></a></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and immersive, hands-on training every day.</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">One of my favorite things about this class is the amount of material - its quite in-depth. You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">DEVELOPMENT 522: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/dev522-new-york-54285" target="_blank">www.sans.org</a></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">T<span style="background-color: white;">he topics that will be covered include:</span></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><span style="background-color: white;"><br /></span></span>
<br />
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Infrastructure security</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Server configuration</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Authentication mechanisms</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Application language configuration</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Application coding errors like SQL injection and cross-site scripting</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Cross-site request forging</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Authentication bypass</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Web services and related flaws</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Web 2.0 and its use of web services</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">XPATH and XQUERY languages and injection</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Business logic flaws</span></li>
</ul>
<ul style="background-color: white; box-sizing: border-box; margin-bottom: 10px; margin-top: 0px;">
<li style="box-sizing: border-box;"><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">Protective HTTP headers</span></li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: start;">
</div>
<br />
<div style="-webkit-text-stroke-width: 0px; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="margin: 0px;">
<br /></div>
<div style="color: black; font-family: "Times New Roman"; font-size: medium; margin: 0px;">
<br /></div>
<div style="color: black; font-family: "Times New Roman"; font-size: medium; margin: 0px;">
<br /></div>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-90283443247083348712018-07-31T22:51:00.004-07:002018-08-02T01:41:48.252-07:00Vulnerability Scanners - Nessus<div class="separator" style="clear: both; text-align: center;">
</div>
This is part one of a three part series aimed at discussing vulnerability scanners; I plan to write a post for Nessus, Nexpose/Rapid7 and OpenVAS. The aim is to highlight the pros and cons of each, talk about how typical setup works, expectations of scan results and using the tools. Ultimately, the goal is to compare and contrast the products and provide some insight into why you might want to choose one over the other. The target audience for this is enterprise users with the need for a mature threat and vulnerability remediation program. While much of the information shared will be applicable to anyone in charge of running the scanning tools, the tone will be from an enterprise perspective.<br />
<br />
Today's post will be on the Nessus product offering. Nessus is a proprietary vulnerability scanner developed by Tenable Network Security - Tenable just had (July 27th 2018) their IPO and is now a publicly traded company (for whatever that's worth which happens to be about $30 at the time of writing).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWo68WhaVrRyt0rQvHYdwo19fxz2so8CfmLDklrMVZvp_KeNfT6CYeSleKtwgqR3yMD75IJdSS9opXqzHxLalSJOthamzcDsGwCJhuFRBu2B2COHfQkbi7Nieg79yOPuKkZHj6bppwfyqQ/s1600/p.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="315" data-original-width="802" height="125" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWo68WhaVrRyt0rQvHYdwo19fxz2so8CfmLDklrMVZvp_KeNfT6CYeSleKtwgqR3yMD75IJdSS9opXqzHxLalSJOthamzcDsGwCJhuFRBu2B2COHfQkbi7Nieg79yOPuKkZHj6bppwfyqQ/s320/p.png" width="320" /></a></div>
<br />
All vulnerability scanners that I am familiar with work essentially the same way which is by relying on a series of vulnerability checks or "plugins" or otherwise a database with known strings, characteristics, files, versions, etc to search for and a library of detailed information about the vulnerability check including remediation options and impacted software. For instance, a vulnerability check for MS15-034 will consist of a vetted way of stimulating a target system (sending network traffic) to induce a response which is then parsed (inspected) and determined to either match a known vulnerable response or not. An example of a simple check can be submitting a HTTP GET request and reading the response to pull out the headers and noting the version of PHP; then matching that version with a database of version numbers to produce output showing the known vulnerabilities for that given software number.<br />
<br />
Generally what sets apart scanners is the amount of vulnerability checks they have (and their associated quality, and frequency of updates) and the ability to run the scanner in such a fashion where you as the administrator get accurate scan results in a convenient consistent way. These two points are exceedingly important - you must have accuracy of data and you need to have up-to-date vulnerability checks to helps with the former. Also of importance, is the ability to automate scanning and produce useful reports as well as configure or tune the scan engine to meet the needs of your organization.<br />
<br />
Accuracy of data matters because as a security practitioner responsible for enterprise security you need to understand the risk associated with a given asset/network to be able to adequately prioritize remediation. Additionally, accuracy matters because in the case of a false negative you may end up with a breech and in the case of false positives you may end up eroding the trust in you and your team's ability to produce quality/actionable information. I've been in situations where false positives on a report resulted in the entire vulnerability remediation program being called into question across the enterprise and outsourcing of ones' job to a MSSP is discussed.<br />
<br />
<b>So Nessus...</b><br />
<b><br /></b>
<b>Background:</b><br />
Note that Tenable has several product offerings, their professional network vulnerability scanning tool is called Nessus Professional, the base price for which is $2,190 per year. I went through a VAR and bought mine for just under $2,000 for an annual fee. Nessus has been around for about two decades and has improved their product substantially over the years especially in the last 2-4 in terms of UI and ease of use. Once purchased you will have access to the Tenable portal which is not very user friendly, does not seem to support significantly long and complex passwords and is a bit clunky in my opinion. But this is where you can see your license number and reset it when need be as well as open tickets potentially.<br />
<br />
<b>Of important note is that you will have access to unlimited scans and target IPs (I believe and has so far seemed to be true) so you can scan whatever and whenever you want. </b>The caveat if using the tool in a consulting role will be that once you register the scanner it talks back to Tenable to complete the process and notes your IP address; you can only register the product from one IP at a time for a period of one week. This means that if you need to install multiple scanners from multiple locations you have to wait one week before re-registering and using your product. This becomes a hassle of logging into the portal, resetting your license and spending at times significant amounts of effort to get the tool to properly register, download plugins and work as expected. If you only need to install the tool in one location essentially one time then this is not an issue.<br />
<b><br /></b>
<b>Setup:</b><br />
Setting up Nessus is a breeze when you do it all the time and know the quirks. The first thing you need to do after purchase is note your license number. Next dedicate a machine to being the scanner - i.e. install Nessus on a machine that will only be used for scanning purposes. Nessus supports Windows and Linux - I almost exclusively use CentOS7 as the base OS and install the Nessus RPM:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhuyzkAaPYjCSW7DgP-rR9s4DGQ1sc8AxAehpV0VIbdiaPwhBhRXMs5cLe2BCi5bP-aNYrTy8E9ro9YqpW383btlKWjiMm5kSPMMrkxBpvRioV3ppN3pwefnb_VStNb31zX5nI3os37oM1/s1600/Install.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="171" data-original-width="743" height="90" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhuyzkAaPYjCSW7DgP-rR9s4DGQ1sc8AxAehpV0VIbdiaPwhBhRXMs5cLe2BCi5bP-aNYrTy8E9ro9YqpW383btlKWjiMm5kSPMMrkxBpvRioV3ppN3pwefnb_VStNb31zX5nI3os37oM1/s400/Install.png" width="400" /></a></div>
<br />
<br />
And when it works (dependencies are good to go, and you chose the right RPM from the Tenable website) it's that simple. Next simply do what the output says and start Nessus then browse to the web GUI to complete the setup.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjncYtdRrBhCKzRiiavfMKT46fFMRWvXMzT9YpE0ND7rMEwblwLisIdxnfGye4vtxsvh7VUbJi3KZdoOJvDvLDBwJFE1jSTse64JlnFFILoEBo821nfTkgodP3kujhX2Z2KZ7wOJcZ0FdQ-/s1600/Initial.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="343" data-original-width="433" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjncYtdRrBhCKzRiiavfMKT46fFMRWvXMzT9YpE0ND7rMEwblwLisIdxnfGye4vtxsvh7VUbJi3KZdoOJvDvLDBwJFE1jSTse64JlnFFILoEBo821nfTkgodP3kujhX2Z2KZ7wOJcZ0FdQ-/s400/Initial.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLEhZqfqmUIdANmNt2RQtyhknvER6rJBgzR4pI69CePBAy-Wn4Bf6i6y4W27nh290AnepxmojEkUWL_BHY-vsJ6Wln7mFAtHmL6lOxYbAEochyTVTD2gN-Kl1ULNyypUJxxfVWu-yA6KdB/s1600/CreateAccount.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="455" data-original-width="372" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLEhZqfqmUIdANmNt2RQtyhknvER6rJBgzR4pI69CePBAy-Wn4Bf6i6y4W27nh290AnepxmojEkUWL_BHY-vsJ6Wln7mFAtHmL6lOxYbAEochyTVTD2gN-Kl1ULNyypUJxxfVWu-yA6KdB/s400/CreateAccount.png" width="326" /></a></div>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHOXkTqYDRRL8fkxclF3iW4Pst-50XGKd8JRm9hUd4J1nKqst4law-F7I6QzmmSIgJUNsqdxN1oxl-wqcZjtEDQT57YQCGGqcwu-VoumaSD-ZVZoXAjeASuBuSxLePiJmA9O37O3qLOuk8/s1600/ActivationCode.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="447" data-original-width="374" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiHOXkTqYDRRL8fkxclF3iW4Pst-50XGKd8JRm9hUd4J1nKqst4law-F7I6QzmmSIgJUNsqdxN1oxl-wqcZjtEDQT57YQCGGqcwu-VoumaSD-ZVZoXAjeASuBuSxLePiJmA9O37O3qLOuk8/s400/ActivationCode.png" width="333" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlbL-RIgoOKRmsnz_zz3EnNpc74l_hmDNKT_MfwmaQpqfM07cjTh4nM6GfIJ8yExHNoQnm_YxyJOxqqQx5OzVZwMkcoKLO7HcjdcplGAQQQ3p_sQ6erfTXik8Oheems_wiri8qmjxvMOfp/s1600/Initial_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" data-original-height="295" data-original-width="374" height="315" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlbL-RIgoOKRmsnz_zz3EnNpc74l_hmDNKT_MfwmaQpqfM07cjTh4nM6GfIJ8yExHNoQnm_YxyJOxqqQx5OzVZwMkcoKLO7HcjdcplGAQQQ3p_sQ6erfTXik8Oheems_wiri8qmjxvMOfp/s400/Initial_2.png" width="400" /></a></div>
<br />
<br />
<br />
<br />
Once this process complete you are greeted with the stating screen and its time to proceed to setup a scan.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvw5egr_F42B0TEwJHDqCUcTKtxFPvDN1ozGqq1UfeilEBSsh8MJvotrQy6Zbxjvtmv3Mk2eoogRGE5FnYm84QjB4pRo-jipiu6j9u8NrYzQcIhqtty6amwblJY6mGbpkmIeyVS_UdvUp6/s1600/WelcomeScreen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="550" data-original-width="970" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvw5egr_F42B0TEwJHDqCUcTKtxFPvDN1ozGqq1UfeilEBSsh8MJvotrQy6Zbxjvtmv3Mk2eoogRGE5FnYm84QjB4pRo-jipiu6j9u8NrYzQcIhqtty6amwblJY6mGbpkmIeyVS_UdvUp6/s320/WelcomeScreen.png" width="320" /></a></div>
<br />
<br />
I mentioned accuracy of results being very important, the way you ensure accuracy is essentially by making sure the scanner can "talk" to every host that you intend to scan (e.g. make sure firewall rules are in place to allow the scanner traffic and that host-based firewalls are not stopping traffic likewise a WAF/IPS is not obstructing scanning). Also use credentials! This is called "authenticated scanning" because when you provide your scanner with SSH or domain credentials for example, now the scanner can actually login to each properly configured endpoint and produce MUCH more accurate scan results. Think of it this way... if you don't use credentials and you scan a system you may find ports 135, 139, 445, and 3389 open on a windows machine. The scanner will check for version information, try various SSL/TLS handshakes and launch hundreds of other vulnerability checks at the system and only find a few medium risk findings perhaps. When you provide credentials for the scanner to login to the remote systems, now the scanner can check the patch level of the given target(s) and provide accurate information in terms of what patches are missing and what flaws are present. It's the difference between a few medium risk issues and dozens of high risk vulnerabilities. Note that this example is for internal network scanning; when I scan externally I don't typically provide credentials or expect the most accurate results. But for internal scanning as part of a robust threat and vulnerability remediation program - always use valid credentials such as a specific service account dedicated just to scanning that is active on all windows hosts in the environment. Consider the same for SSH with Linux hosts and understand that not all hosts (printers, badge readers, network devices, etc) will support authenticated scans. Also understand that scanning with credentials, while more accurate, also can increase risk such as when web applications scanned with credentials or the credentials are not stored properly and the like. The way we could set up this type of scan using Nessus would be via a "Credentialed Patch Audit" which is a scanning template we can easily choose to use.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJrJTFMkzwtxC9bKtDoyY_XKna74oVVQKwsqnys-yiwrLoHz2i7PbrEb2Mkbc2YcmVfODCvybjlPW63vxhU-V39FmGWo2d86zSb4137hGoWZVDz7C0cYETuLhfGWZGNDNSAsDqojEOga6p/s1600/scantemplates.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="645" data-original-width="875" height="292" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJrJTFMkzwtxC9bKtDoyY_XKna74oVVQKwsqnys-yiwrLoHz2i7PbrEb2Mkbc2YcmVfODCvybjlPW63vxhU-V39FmGWo2d86zSb4137hGoWZVDz7C0cYETuLhfGWZGNDNSAsDqojEOga6p/s400/scantemplates.png" width="400" /></a></div>
<br />
<br />
There are no shortage of credential options to choose from in Nessus. Once again make sure you have a dedicated account (or multiple) for scanning and test out your setup (tail the secure log on the Linux hosts you scan to see authentication working properly and/or watch the windows event logs or do this all from a single pane of glass to essentially confirm the authentication is working - sometimes its not always obvious from the results of the scan if authentication worked as you expected).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBceur5LxLaUg4PBqScdM2kXgBJjlpkTHKFOM9o55iJFsf-Uafh80bxtbCuuenroABrNCkFiv2m6GEwCKWJRztmqPyBuoZf4ejMO1wW519bzNJmwdw3r60TrlAMdj_ihTIdKKzDfGQl9BJ/s1600/credentails.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="604" data-original-width="416" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBceur5LxLaUg4PBqScdM2kXgBJjlpkTHKFOM9o55iJFsf-Uafh80bxtbCuuenroABrNCkFiv2m6GEwCKWJRztmqPyBuoZf4ejMO1wW519bzNJmwdw3r60TrlAMdj_ihTIdKKzDfGQl9BJ/s400/credentails.png" width="275" /></a></div>
<br />
<br />
The amount of templates and icons looks nice but know that all that is being done behind the scenes is simply modifying which plugins (vulnerability checks) will be executed. For example the "DROWN Detection" simply checks for the existence of CVE-2016-0800. It's convenient but not ideal for what we typically want to accomplish (although great for when its exactly what we need to do). Use the "Advanced Scan" and tune it to meet your needs. There are literally tens of thousands of vulnerability checks included with the scanner (and updated regulatory). Based on your environment you can disable ones that may be irrelevant (like if you don't have any CISCO appliances in your environment you may choose to not use any plugins from that "Plugin Family" (grouping of vulnerability checks for a given product/software class)).<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFIbdtmUcWKYQIqVU33rWt2ZG3Ef0T73GFe5YHFHmqDJ09iBcjU1sxDaCZxTvi39mCn3zgirJ-Om5nHeDNGIc3dmpawKuwTmnS8x5Ff__AhjUNm1LQXtNujNc-FwGOO_ah8BuKBT1S959p/s1600/plugins.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="626" data-original-width="1108" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFIbdtmUcWKYQIqVU33rWt2ZG3Ef0T73GFe5YHFHmqDJ09iBcjU1sxDaCZxTvi39mCn3zgirJ-Om5nHeDNGIc3dmpawKuwTmnS8x5Ff__AhjUNm1LQXtNujNc-FwGOO_ah8BuKBT1S959p/s400/plugins.png" width="400" /></a></div>
<br />
<br />
In addition to credentials and plugins, further tuning of the scan template may be required for your environment and similar to a nmap scanning there are some basic discovery options you can modify as well as port scanning choices. I have found that the defaults work fine in most cases and the only other important thing to pay attention to prior to scanning is the "Enable safe checks" in the advanced section. Check this (it is by default) unless causing harm to the target environment is acceptable (while not guaranteed it will actually happen).<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1qD9xwwME1uEzjDH29IVlxFlthRvhz0nNkkQwR9D0xrmqhs3DnZ0r7ir_Y5Md8G3pWwneDqtQgGcxznuOAKWe2s5Z2wrCbKhqEoCiTNHwD4LyrjgH1cisgyiZGZsobsLBu_EKY53seDPy/s1600/safechecks.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="447" data-original-width="631" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1qD9xwwME1uEzjDH29IVlxFlthRvhz0nNkkQwR9D0xrmqhs3DnZ0r7ir_Y5Md8G3pWwneDqtQgGcxznuOAKWe2s5Z2wrCbKhqEoCiTNHwD4LyrjgH1cisgyiZGZsobsLBu_EKY53seDPy/s400/safechecks.png" width="400" /></a></div>
<br />
<br />
While there certainly are some other tweaks you can make to better tune the scan or modify your template there is not MUCH more to the scanning tool that comes into play for typically scanning other than creating a custom template (Policy) that works best for your environment(s). What you do want to look into is the "Settings" section accessed via your profile/account link. Setup SMTP to automatically email scan results if desired, configure other tools to use the REST API, setup a custom CA/certificate and modify the authentication/password policy.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_wDwuX7TNCPYAzBrDEQUHCqyvr9OeYRWbSqL4S8A0ffnAsuY9UUsZUK85BFWN5W8gLmqvjzGi266YtbHSpbRq_dOmvLnaclGQvJIZbOUarMNowH9mn8iX2ipKB8zb2_SqbUqR_gLCHpiH/s1600/settings.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="590" data-original-width="967" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_wDwuX7TNCPYAzBrDEQUHCqyvr9OeYRWbSqL4S8A0ffnAsuY9UUsZUK85BFWN5W8gLmqvjzGi266YtbHSpbRq_dOmvLnaclGQvJIZbOUarMNowH9mn8iX2ipKB8zb2_SqbUqR_gLCHpiH/s400/settings.png" width="400" /></a></div>
<br />
<br />
<br />
<b><br /></b>
<b>Next kickoff your scan!</b><br />
<b><br /></b>You can see the results of scanning as the scan runs and vulnerabilities are color coordinated to denote risk.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxoYFg-ks0JOsLf1HpWEVnDvethGT37wy1qaCfrw7wcdlVaXoxZAF1OqmYj3rmYeOCeQwV4Z0jDbyRTsn8wm9NNTimSBrm4I85rzFy-Sfn14HcM7TzUamI_0icScKvUnW2JMnFfxK2Lbby/s1600/vulnerabilities.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="255" data-original-width="568" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxoYFg-ks0JOsLf1HpWEVnDvethGT37wy1qaCfrw7wcdlVaXoxZAF1OqmYj3rmYeOCeQwV4Z0jDbyRTsn8wm9NNTimSBrm4I85rzFy-Sfn14HcM7TzUamI_0icScKvUnW2JMnFfxK2Lbby/s400/vulnerabilities.png" width="400" /></a></div>
<br />
You can also drill into each vulnerability/host to get more information about what was found including a description of the flaw and suggested remediation (usually patch).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTBIm97ldz8UKtifRlwojLplO4S_YtU1DRbcBEU1EYfXIYteY_kM4fpQz-A91OOPMcL16_t8t1M64abRzbMCZJv42Rz-AmVAHiiWlf-LvD1WctPFijYEszD8gZ4bG7DgBaGKXYpRJ2u_EU/s1600/vulns.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="637" data-original-width="771" height="330" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTBIm97ldz8UKtifRlwojLplO4S_YtU1DRbcBEU1EYfXIYteY_kM4fpQz-A91OOPMcL16_t8t1M64abRzbMCZJv42Rz-AmVAHiiWlf-LvD1WctPFijYEszD8gZ4bG7DgBaGKXYpRJ2u_EU/s400/vulns.png" width="400" /></a></div>
<br />
<br />
The GUI is useful for reviewing the results and getting specifics but what we need to do is produce a report to share with other teams in a given organization. The report should include results of the scan(s), the CVSS score for each vulnerability and enough details for the confirmation and remediation to take place. Nessus supports several report export file types, HTML, PDF, CSV and two Nessus specific ones.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi22XTGzpfNRR0OKpeDjK8BtKI111BLcQrvKEQnguZiF8CoZQZAupLsAyKZazcV12tnv95rONhZvlYnnjmh0H-pLaxS4PvuAolb4QcWxomXw_abSNjrjMzyeoOLxn1bEZKaG1C5nGZTLfXX/s1600/report.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="630" data-original-width="1393" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi22XTGzpfNRR0OKpeDjK8BtKI111BLcQrvKEQnguZiF8CoZQZAupLsAyKZazcV12tnv95rONhZvlYnnjmh0H-pLaxS4PvuAolb4QcWxomXw_abSNjrjMzyeoOLxn1bEZKaG1C5nGZTLfXX/s400/report.png" width="400" /></a></div>
<br />
The reports are not very customizable but provide basic information needed to help with fixing the flaws.<br />
<b><br /></b>
<b>The Verdict:</b><br />
Nessus is an industry standard and definitely one of the most popular tools on the market for vulnerability scanning. It's simple and gets the job done most of the time.<br />
<br />
<b>Pros</b><br />
<br />
<ul>
<li>Affordable</li>
<li>Easy to setup and use</li>
<li>Fast implementation time (setup, scanning and results)</li>
<li>Licensing is great in terms of unlimited scanning</li>
</ul>
<div>
<b>Cons</b></div>
<div>
<ul>
<li>Too basic - not enough customizable features for niche settings</li>
<li>Following industry trend of charging extra for web application scanning, mobile scanning, enterprise integration and no more free version</li>
<li>Reporting is weak</li>
<li>Does not always find as many vulnerabilities as competitors (discussed later in series)</li>
</ul>
</div>
<br />
<br />
<br />Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com2tag:blogger.com,1999:blog-2059619926966266961.post-34950826257085812982018-04-30T22:21:00.003-07:002018-04-30T22:21:31.727-07:00SpyderSec Apprenticeship ProgramSpyderSec is exploring offering an apprenticeship program. More details to come...Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-73481689271958502152018-03-30T22:12:00.000-07:002018-03-30T22:12:01.054-07:00Upcoming Security Events<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">It's (always) a busy time in my world, here are some upcoming events to be on the lookout for - all of which I speaking at or teaching:</span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span>
<br />
<ul>
<li><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><a href="https://www.sans.org/community/event/dev522-new-york-52390" target="_blank">Community SANS DEV522</a> - New York, NY | Mon Apr 23 - Sat Apr 28, 2018</span></li>
</ul>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<ul>
<li><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><a href="https://www.sans.org/webcasts/breakingpoint-multi-function-tool-application-security-testing-107115" target="_blank">SANS Webcast </a>- Tuesday, May 1st, 2018 at 1:00 PM EDT (BreakingPoint: A Multi-Function Tool for Application and Security Testing)</span></li>
</ul>
</div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<ul>
<li><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><a href="https://q22018.hacknyc.com/en/" target="_blank">HACK NYC 2018</a> - New York , NY | Tue May 08 - Thu 10, 2018 (SPEAR PHISHING: A BEHIND THE SCENES LOOK May 8th 01:15 PM - 01:45 PM)</span></li>
</ul>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<ul>
<li><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><a href="https://www.rmisc.org/" target="_blank">RMISC</a> - Denver, CO | Tue May 08 - Thu 10, 2018 (G1. Rock Your Next Web Application Penetration Test May 10th 2:00 PM - 3:00 PM )</span></li>
</ul>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
<ul>
<li><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><a href="https://www.sans.org/event/rocky-mountain-2018" target="_blank">SANS Rocky Mountain</a> - Denver, CO | Mon, Jun 4 - Sat, Jun 9, 2018 (Getting the Most Out of Burp Suite Pro Thursday, June 7th, 7:15pm - 8:15pm)</span></li>
</ul>
</div>
<div>
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><br /></span></div>
<div>
</div>
</div>
</div>
<div>
<ul>
<li><span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><a href="https://www.sans.org/community/event/sec542-columbia-51985" target="_blank">Community SANS SEC542</a> - Columbia, MD | Mon Jun 11 - Sat Jun 16, 2018</span></li>
</ul>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-52212620484126029332018-02-20T00:20:00.001-08:002018-02-20T00:20:53.826-08:00SnowFROC - All questions answered! We are only a couple of weeks away from SnowFROC 2018 so I thought I would take a moment to talk about it.<br />
<br />
<b>What is SnowFROC?</b><br />
Simply put, SnowFROC is Denver’s premier Application Security Conference. This is not a typical conference however; to be blunt it is more intimate and has better food (seriously) than other events you may visit. The venue holds no more than about 500 people and being a one day only event means you get the best we have to offer in an 8 hour day.<br />
<br />
<b>Who is this for and who will be there?</b><br />
Presentations and training are not solely focused on application security. SnowFROC is primarily geared towards three types of individuals:<br />
<br />
<ul>
<li>Information Security Leadership; which is a prominent track with several interesting presentations to choose from</li>
</ul>
<ul>
<li>Security Engineers and Developers; with 9 scheduled presentations on topics ranging from Threat Modeling IoT Systems to attacking mobile apps and automation with DevOps</li>
</ul>
<ul>
<li>Learners seeking to train hands-on; Three labs are included with the purchase of a training ticket and include: Crypto, Attacking WIFI and a lab based on the Equifax breach</li>
</ul>
<div>
John Strand is delivering the Keynote, world-class speakers are flying in to give their presentations and the panel at the end of the day is comprised of leaders in the industry. </div>
<div>
<br /></div>
<br />
<b>Where is SnowFROC located?</b><br />
Being the "Front Range OWASP Conference", SnowFROC is based in Denver Colorado. The location of this event is The Cable Center on the University of Denver campus near <a href="https://www.google.com/maps/place/The+Cable+Center/@39.6831895,-104.965939,17z/data=!3m1!4b1!4m5!3m4!1s0x876c7e41b913bc55:0x12229df46fed3ad5!8m2!3d39.6831854!4d-104.9637503" target="_blank">I-25 and University</a>.<br />
<br />
<b>When does this event take place?</b><br />
This is a one day only event and takes place from 8AM to 5:30PM on Thursday March 8th 2018.<br />
<b><br /></b>
<b>How much does it cost?</b><br />
General Admission is $70.00 per person. If you want to attend the hands-on training (on going all day) you will need to purchase an additional ticket at $25.00 (for a total of $95.00).<br />
<b><br /></b>
<b>Why would I want to attend?</b><br />
Because the scheduled presentations are exciting<br />
Because the speakers are excellent<br />
Because you know a great deal when you see one<br />
Because taking a day off of work to be educated, fed well and learn a lot is a great idea<br />
Because $95 for a day of hands-on training is a spectacular value<br />
To network and get to know Denver's security community better<br />
Because you are coming from out of town and it's Denver...<br />
<br />
Registration, schedule of events and additional information is at <a href="https://snowfroc.com/">https://snowfroc.com</a><br />
<br />
<b>What else should I know?</b><br />
Training is limited to the first 100 people to register. Parking, breakfast, lunch, happy hour, access to all talks (though they run concurrently) and panel discussions is all included with general admission pricing. Tickets are expected to sell out, get yours now!<br />
<b><br /></b>
<br />Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-51760309745373325942018-01-02T22:22:00.001-08:002018-01-02T22:22:14.290-08:00SANS SEC542 March 2018 - PortlandPortland Oregon! SANS SEC542 - Web Application Penetration Testing and Ethical Hacking is coming soon...<br />
<br />
Class
begins on March 5, 2018 when we will learn
all about web app pen testing while preparing for the GIAC GWAPT (Web
Application Penetration Tester) certification.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" /></a></div>
<br />
<br />
This
is a six day Community SANS event, complete with an attack/lab virtual
machine, books, all class materials and a full day of Capture the Flag
(CTF) on day six to drive home all of the concepts and tools.<br />
<br />
This
is certainly one of my favorite classes and I think one of the best
parts about this class is the quality and quantity of the hands-on labs;
we cover everything from Burp Suite and Command Injection to XSRF and
Zap! You keep the tools, you keep the custom VM, you keep the labs and
you gain great experience... more details are below.<br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/sec542-portland-51400" target="_blank">www.sans.org</a><br />
<br />
We will be covering all of these topics and more:<br />
<ul>
<li>Interception Proxies</li>
<ul>
<li>ZAP (Zed Attack Proxy)</li>
<li>Burp Suite</li>
</ul>
<li>SQL Injection</li>
<li>Logic Attacks</li>
<li>Metasploit</li>
<li>Reflected Cross-Site Scripting (XSS)</li>
<li>Stored Cross-Site Scripting (XSS)</li>
<li>Local File Inclusion (LFI)</li>
<li>Command Injection</li>
<li>Remote File Inclusion (RFI)</li>
<li>Cross-Site Request Forgery (XSRF)</li>
<li>Automated web app vulnerability scanning tools</li>
<li>Manual scanning techniques</li>
</ul>
<div>
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:<br />
<br />
<ul>
<li>General security practitioners</li>
<li>Penetration testers</li>
<li>Ethical hackers</li>
<li>Web application developers</li>
<li>Website designers and architects</li>
</ul>
<br />
<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s1600/542.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s320/542.png" width="320" /></a></div>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-8581687961243742582017-10-14T13:07:00.001-07:002017-10-14T13:07:43.017-07:00SANS SEC542 November 2017 - Tampa, FLTampa Florida! SANS SEC542 - Web Application Penetration Testing and Ethical Hacking is coming soon...<br />
<br />
Class
begins on November 13, 2017 (Monday through Saturday) when we will learn
all about web app pen testing while preparing for the GIAC GWAPT (Web
Application Penetration Tester) certification.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" /></a></div>
<br />
<br />
This
is a six day Community SANS event, complete with an attack/lab virtual
machine, books, all class materials and a full day of Capture the Flag
(CTF) on day six to drive home all of the concepts and tools.<br />
<br />
This
is certainly one of my favorite classes and I think one of the best
parts about this class is the quality and quantity of the hands-on labs;
we cover everything from Burp Suite and Command Injection to XSRF and
Zap! You keep the tools, you keep the custom VM, you keep the labs and
you gain great experience... more details are below.<br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/sec542-tampa-49482" target="_blank">www.sans.org</a><br />
<br />
We will be covering all of these topics and more:<br />
<ul>
<li>Interception Proxies</li>
<ul>
<li>ZAP (Zed Attack Proxy)</li>
<li>Burp Suite</li>
</ul>
<li>SQL Injection</li>
<li>Logic Attacks</li>
<li>Metasploit</li>
<li>Reflected Cross-Site Scripting (XSS)</li>
<li>Stored Cross-Site Scripting (XSS)</li>
<li>Local File Inclusion (LFI)</li>
<li>Command Injection</li>
<li>Remote File Inclusion (RFI)</li>
<li>Cross-Site Request Forgery (XSRF)</li>
<li>Automated web app vulnerability scanning tools</li>
<li>Manual scanning techniques</li>
</ul>
<div>
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:<br />
<br />
<ul>
<li>General security practitioners</li>
<li>Penetration testers</li>
<li>Ethical hackers</li>
<li>Web application developers</li>
<li>Website designers and architects</li>
</ul>
<br />
<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s1600/542.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s320/542.png" width="320" /></a></div>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-90632252619220323232017-07-31T22:53:00.001-07:002017-07-31T22:53:15.433-07:00Potential flaw in popular software analytics implementationsStay tuned. More to come after additional research and responsible disclosure.Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-69920743261770505432017-06-30T22:22:00.002-07:002017-06-30T22:22:38.229-07:00Holiday PuzzlerI came across this at secureset.com (can't find the link anymore though):<br />
<br />
<span id="goog_1301989580"></span><span id="goog_1301989581"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrqP3hV-st1VVu7SyuRcgJZ-bm1ArI5GFkGznUa0ZAIa3cxhyphenhyphenGHY2_3wrVLbwCDzoc8MS9sWWcnBOrASY83g1KQScbf0Nhi96x5wtToBrK-5aASb18riWjNk3pq9ymx2YrHHoWZFA_J3ft/s1600/junehackchallenge.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="534" data-original-width="1600" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrqP3hV-st1VVu7SyuRcgJZ-bm1ArI5GFkGznUa0ZAIa3cxhyphenhyphenGHY2_3wrVLbwCDzoc8MS9sWWcnBOrASY83g1KQScbf0Nhi96x5wtToBrK-5aASb18riWjNk3pq9ymx2YrHHoWZFA_J3ft/s320/junehackchallenge.png" width="320" /></a></div>
<span id="goog_1301989580"></span><span id="goog_1301989581"></span><br />
<span id="goog_1301989580"></span><span id="goog_1301989581"></span><br />
<span id="goog_1301989580">Try and figure out what is it and when you do - share!</span>Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-15624509345556443362017-05-21T21:37:00.002-07:002021-01-20T16:07:16.172-08:00SANS SEC542 August 2017 - Detroit, MIDetroit Michigan! SANS SEC542 - Web Application Penetration Testing and Ethical Hacking is coming soon...<br />
<br />
Class
begins on August 7, 2017 (Monday through Saturday) when we will learn
all about web app pen testing while preparing for the GIAC GWAPT (Web
Application Penetration Tester) certification.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" /></a></div>
<br />
<br />
This
is a six day Community SANS event, complete with an attack/lab virtual
machine, books, all class materials and a full day of Capture the Flag
(CTF) on day six to drive home all of the concepts and tools.<br />
<br />
This
is certainly one of my favorite classes and I think one of the best
parts about this class is the quality and quantity of the hands-on labs;
we cover everything from Burp Suite and Command Injection to XSRF and
Zap! You keep the tools, you keep the custom VM, you keep the labs and
you gain great experience... more details are below.<br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/sec542-detroit-48127" target="_blank">www.sans.org</a><br />
<br />
We will be covering all of these topics and more:<br />
<ul>
<li>Interception Proxies</li>
<ul>
<li>ZAP (Zed Attack Proxy)</li>
<li>Burp Suite</li>
</ul>
<li>SQL Injection</li>
<li>Logic Attacks</li>
<li>Metasploit</li>
<li>Reflected Cross-Site Scripting (XSS)</li>
<li>Stored Cross-Site Scripting (XSS)</li>
<li>Local File Inclusion (LFI)</li>
<li>Command Injection</li>
<li>Remote File Inclusion (RFI)</li>
<li>Cross-Site Request Forgery (XSRF)</li>
<li>Automated web app vulnerability scanning tools</li>
<li>Manual scanning techniques</li>
</ul>
<div>
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:<br />
<br />
<ul>
<li>General security practitioners</li>
<li>Penetration testers</li>
<li>Ethical hackers</li>
<li>Web application developers</li>
<li>Website designers and architects</li>
</ul>
<br />
<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s1600/542.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s320/542.png" width="320" /></a></div>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.comtag:blogger.com,1999:blog-2059619926966266961.post-60323424481326657542017-03-26T00:50:00.002-07:002017-03-26T00:50:54.648-07:00SANS SEC542 May 2017 - Chicago, IL Chicago! SANS SEC542 - Web Application Penetration Testing and Ethical Hacking is coming soon...<br />
<br />
Class
begins on May 15, 2017 (Monday through Saturday) when we will learn
all about web app pen testing while preparing for the GIAC GWAPT (Web
Application Penetration Tester) certification.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" /></a></div>
<br />
<br />
This
is a six day Community SANS event, complete with an attack/lab virtual
machine, books, all class materials and a full day of Capture the Flag
(CTF) on day six to drive home all of the concepts and tools.<br />
<br />
This
is certainly one of my favorite classes and I think one of the best
parts about this class is the quality and quantity of the hands-on labs;
we cover everything from Burp Suite and Command Injection to XSRF and
Zap! You keep the tools, you keep the custom VM, you keep the labs and
you gain great experience... more details are below.<br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/sec542-chicago-47637" target="_blank">www.sans.org</a><br />
<br />
We will be covering all of these topics and more:<br />
<ul>
<li>Interception Proxies</li>
<ul>
<li>ZAP (Zed Attack Proxy)</li>
<li>Burp Suite</li>
</ul>
<li>SQL Injection</li>
<li>Logic Attacks</li>
<li>Metasploit</li>
<li>Reflected Cross-Site Scripting (XSS)</li>
<li>Stored Cross-Site Scripting (XSS)</li>
<li>Local File Inclusion (LFI)</li>
<li>Command Injection</li>
<li>Remote File Inclusion (RFI)</li>
<li>Cross-Site Request Forgery (XSRF)</li>
<li>Automated web app vulnerability scanning tools</li>
<li>Manual scanning techniques</li>
</ul>
<div>
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:<br />
<br />
<ul>
<li>General security practitioners</li>
<li>Penetration testers</li>
<li>Ethical hackers</li>
<li>Web application developers</li>
<li>Website designers and architects</li>
</ul>
<br />
<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s1600/542.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s320/542.png" width="320" /></a></div>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-1665469613156100152017-02-25T23:19:00.003-08:002017-02-25T23:19:59.375-08:00SANS SEC542 April 2017 - Chicago, IL Chicago! SANS SEC542 - Web Application Penetration Testing and Ethical Hacking is coming soon...<br />
<br />
Class begins on April 3rd, 2017 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiS1IudaPntYya49CE7aPBUnZppxBqrTRhqR13QxiQ1epqJDl9SYKh3qQbwU7cPqV8oqSiMYKUapq3F1a9eVPnf8ccL2wobs4pCDXEQVClV6BS3BVShNBnqAfUcQVEpKANQJpM9EPhisckV/s1600/gwapt-gold.png" /></a></div>
<br />
<br />
This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.<br />
<br />
This is certainly one of my favorite classes and I think one of the best parts about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.<br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/sec542-chicago-47637" target="_blank">www.sans.org</a><br />
<br />
We will be covering all of these topics and more:<br />
<ul>
<li>Interception Proxies</li>
<ul>
<li>ZAP (Zed Attack Proxy)</li>
<li>Burp Suite</li>
</ul>
<li>SQL Injection</li>
<li>Logic Attacks</li>
<li>Metasploit</li>
<li>Reflected Cross-Site Scripting (XSS)</li>
<li>Stored Cross-Site Scripting (XSS)</li>
<li>Local File Inclusion (LFI)</li>
<li>Command Injection</li>
<li>Remote File Inclusion (RFI)</li>
<li>Cross-Site Request Forgery (XSRF)</li>
<li>Automated web app vulnerability scanning tools</li>
<li>Manual scanning techniques</li>
</ul>
<div>
If your job description falls under one of these categories and you have an affinity towards information security or a desire to learn how attackers are able to compromise web applications, then this class is for you:<br />
<br />
<ul>
<li>General security practitioners</li>
<li>Penetration testers</li>
<li>Ethical hackers</li>
<li>Web application developers</li>
<li>Website designers and architects</li>
</ul>
<br />
<br />
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s1600/542.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDa8p0Xjesg0x9rLT_5RoWR4SemmGJcUTNFP9qWvP4R2IpWXL7QgsTfSsJaiyQ9mnTMNWZYmboe9MSUDCPo1wRxZZwPCq8Mn6anrtWe-eWWMHxtg4pkKPWSc6FINB-Q06JggckT3W9Pk6A/s320/542.png" width="320" /></a></div>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-16189870727748034642017-01-28T21:12:00.000-08:002017-01-28T21:12:07.590-08:00Upcoming Security EventsIt's a busy time in the world of information security, here are some upcoming events to be on the lookout for - two local events in Denver and two farther away:<br />
<br />
<br /><ul>
<li><a href="https://www.rsaconference.com/events/us17" target="_blank">RSA Conference 2017</a> - February 13th-17th in San Francisco. This is a huge event with a large amount of great speakers. </li>
</ul>
<div>
<br /></div>
<ul>
<li><a href="https://www.snowfroc.com/" target="_blank">SnowFROC</a> - March 16th: Call for papers/speakers is open and sponsorship opportunities are also still available. This is the Front Range OWASP conference and it's going to be awesome! </li>
</ul>
<div>
<br /></div>
<ul>
<li><a href="https://www.rmisc.org/" target="_blank">RMISC</a> May 9th-11th: This also has an open call for presentations and should be a great time.</li>
</ul>
<div>
<br /></div>
<div>
<ul>
<li><a href="https://www.sans.org/community/event/sec542-chicago-47637" target="_blank">SANS SEC542 </a>April 3rd-8th in Chicago. This is top notch offensive security training with a focus on web applications. </li>
</ul>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-52131151715379763412016-11-19T19:14:00.002-08:002016-11-23T15:37:47.658-08:00SANS SEC542 January 2017 - Toronto, Ontario (Canada)<br />
Web
Application Penetration Testing and Ethical Hacking: SANS SEC542 is coming to Toronto Ontario Canada!<br />
<br />
The
fun starts on January 9th, 2017 (Monday through Saturday) when we will
learn all about web app pen testing while preparing for the GIAC GWAPT
(Web Application Penetration Tester) certification.<br />
<br />
This
is a six day Community SANS event, complete with an attack/lab virtual
machine, books, all class materials and a full day of Capture the Flag
(CTF) on day six to drive home all of the concepts and tools.<br />
<br />
One
of my favorite things about this class is the quality and quantity of
the hands-on labs; we cover everything from Burp Suite and Command
Injection to XSRF and Zap! You keep the tools, you keep the custom VM,
you keep the labs and you gain great experience... more details are
below.<br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/sec542-toronto-46185" target="_blank">www.sans.org</a><br />
<br />
We will be covering all of these topics and more:<br />
<ul>
<li>Interception Proxies</li>
<ul>
<li>ZAP (Zed Attack Proxy)</li>
<li>Burp Suite</li>
</ul>
<li>SQL Injection</li>
<li>Logic Attacks</li>
<li>Metasploit</li>
<li>Reflected Cross-Site Scripting (XSS)</li>
<li>Stored Cross-Site Scripting (XSS)</li>
<li>Local File Inclusion (LFI)</li>
<li>Command Injection</li>
<li>Remote File Inclusion (RFI)</li>
<li>Cross-Site Request Forgery (XSRF)</li>
<li>Automated web app vulnerability scanning tools</li>
<li>Manual scanning techniques</li>
</ul>
<div>
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:</div>
<div>
<ul>
<li>General security practitioners</li>
<li>Penetration testers</li>
<li>Ethical hackers</li>
<li>Web application developers</li>
<li>Website designers and architects</li>
</ul>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-83290882342971949422016-10-25T00:07:00.000-07:002016-10-25T00:07:36.525-07:00Why everything you know about passwords is wrong<span style="font-size: large;">Why is everything that you know about passwords wrong?</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The short answer is because of articles like this: http://www.businessinsider.com/hacker-strong-password-2016-4</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">A better answer is, I don't know who you are: You may be an infosec professional, a password guru or someone else in the know and therefore the title of this post does not apply; but for the mass majority of people it certainly does.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">The problem in the aforementioned article (and others like it) that this post will focus on is the concept of, "It's something that's
easy to remember. All you gotta do is remember that sentence." That notion, that type of thinking qualifies as an epic failure. If you, as a user/consumer, are remembering passwords for websites (or apps, or accounts or whatever) you are failing miserably.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Let's skip right to the solution, then delve into reality afterwards... </span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>The right way to deal with passwords is to use a password vault/safe - a software solution to store all of your passwords in an encrypted file. Period.</b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">But not quite... Because nothing in the world of information security is ever that simple. First you need education, which takes time, effort, and motivation. Without this crucial first step you will be doomed even/especially with an encrypted password vault at your disposal.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">What a password vault does is provides a way for people to store DIFFERENT, COMPLEX, AUTOMATICALLY GENERATED passwords for you. You never have to remember another password for any account that you login to*. This is the big secret, the capitalized words above are what make a password "strong". Your passwords have to be different for every account you use, they have to be crazy complex, generated for you and you can't remember them.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><b>That is the whole point. Never remember passwords!* </b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Depending on the account in question, my password is 90+ characters and I have no idea what it is; I copy it from my password vault and paste it into the password field on a website to login. </span><br />
<span style="font-size: large;"> </span><br />
<span style="font-size: large;">Here is the reality that most of us face:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">How many different accounts do you login to? How many of those accounts do you use the same password for? Do you have accounts that you have not changed the password for in years? How did/do you come up with a "strong" password?</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Many people have 1-3 dozen different accounts that they may login to throughout the course of a year, think about it: Social networking (3-9 accounts) Mail#1, Mail#2, Banking, Retail, Credit card website, Hotel(s), Flight/Travel, Business, (corporate not included), Phone, Computer, Entertainment apps, and many more.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Different people have different methods for how they handle passwords as well. Some people reuse the same password for all of these examples, others modify it slightly for each account while other people try hard to create passwords they think will help protect themselves from compromise. If you fall into any of these categories you are fighting a losing battle. As humans we are not great at remembering complex, random strings of characters. Of course there are methods to help with this (Thanks Randall): https://xkcd.com/936/</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: large;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQfzGDCur-8BH8q01lyqD0RKcg9ynRZjRjJtZ9s4nSgIiMzc4-HBzaJjWD4gPQh4iohzsjjRx-9Io6OwxHBQmUxqBX9Zi775hohw1o3b1ALJ_r3z5YPfK_8tb1L9UtFceo6ZuhmgM2yp4U/s1600/xkcd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQfzGDCur-8BH8q01lyqD0RKcg9ynRZjRjJtZ9s4nSgIiMzc4-HBzaJjWD4gPQh4iohzsjjRx-9Io6OwxHBQmUxqBX9Zi775hohw1o3b1ALJ_r3z5YPfK_8tb1L9UtFceo6ZuhmgM2yp4U/s400/xkcd.png" width="400" /></a></span></div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Some more Reality: Attackers aren't trying to crack your passwords in most cases. They are guessing your horribly weak password successfully or using a password reset feature to change it. In the case of the 500 million Yahoo! accounts being breached, attackers
may actually be trying to crack your password as opposed to just
guessing it. The website/account/application plays a huge role in this portion of your account security. Will Gmail lock out your account after x failed login attempts? How about Apple or Twitter or your online bank? What is stopping an attacker from trying to login to your account using thousands of passwords until one eventually works? Does the application/website even support complex passwords? Too often I come across a website that only supports some special characters or only 12 characters maximum for passwords.</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">What you do to protect your account plays an incredibly important role as well. Things such as using 2-factor authentication for sensitive accounts if it's an option. </span><br />
<br />
<span style="font-size: large;">I mentioned password vaults/safes and education at the beginning of this post and I would be remiss if I didn't clearly communicate the risk as well. Having all passwords in one file, no matter how well it's encrypted, is still a single point of failure... And there are several ways to fail with this method. If you choose to pursue a password vault/safe as an option for storing passwords be advised that you have to know how to use it, what it will do, it's limitations, and the downsides of which there are several; making this not the ideal choice for a novice user. This type of solution is not for everyone and can increase risk in some scenarios. *And of course having a vault/safe usually still requires that you remember at least one password; ironic isn't it?</span><br />
<span style="font-size: large;"> </span><br />
<span style="font-size: large;">You may hear that, "Passwords are dead" or that passwords are antiquated and while they are certainly not ideal, passwords are in fact here to stay for the foreseeable future. With this in mind it's important to come up with a better solution for dealing with passwords safely, the good news is that there are several good solutions currently available. Take your time, get educated and ask questions, here are a few ideas to get your research started:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">http://lmgtfy.com/?q=password+vaults</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span><span style="font-size: large;"><br /></span>Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-36579918112252892862016-09-29T22:08:00.000-07:002016-09-29T22:08:25.439-07:00SANS SEC542 November 2016 - Anaheim, CAAnaheim California...<br />
<br />
Home of Disney Land, the Anaheim GardenWalk, Angel Stadium (so much more) and now Web Application Penetration Testing and Ethical Hacking via SANS SEC542!<br />
<br />
The fun starts on November 7th, 2016 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.<br />
<br />
This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.<br />
<br />
One of my favorite things about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.<br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/sec542-anaheim-nov-2016">www.sans.org</a><br />
<br />
We will be covering all of these topics and more:<br />
<ul>
<li>Interception Proxies</li>
<ul>
<li>ZAP (Zed Attack Proxy)</li>
<li>Burp Suite</li>
</ul>
<li>SQL Injection</li>
<li>Logic Attacks</li>
<li>Metasploit</li>
<li>Reflected Cross-Site Scripting (XSS)</li>
<li>Stored Cross-Site Scripting (XSS)</li>
<li>Local File Inclusion (LFI)</li>
<li>Command Injection</li>
<li>Remote File Inclusion (RFI)</li>
<li>Cross-Site Request Forgery (XSRF)</li>
<li>Automated web app vulnerability scanning tools</li>
<li>Manual scanning techniques</li>
</ul>
<div>
If your job description falls under one of these categories and you have an affinity towards information security or a desire to learn how attackers are able to compromise web applications, then this class is for you:</div>
<div>
<ul>
<li>General security practitioners</li>
<li>Penetration testers</li>
<li>Ethical hackers</li>
<li>Web application developers</li>
<li>Website designers and architects</li>
</ul>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-78286376425481904752016-07-14T23:22:00.001-07:002016-07-14T23:22:54.677-07:00SANS @NightI presented at an @Night talk this evening at SANS Rocky Mountain 2016, the topic: Implementing Secure HTTP Headers. Thanks to everyone that showed up, as usual the slides tell only a portion of the story. I did use evilsite.info to demo XFS and show some X-Frame-Options outcomes as well as X-XSS-Protection in action; which was interesting. Unfortunately the primary Banking site I had been using for clickjacking demonstrations is no longer servicing requests - so I will need to update that at some point. At any rate, the slides are here: <a href="http://evilsite.info/presentations/ImplementingSecureHTTPHeadersC.pptx" target="_blank">Presentation</a><br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilTYYfD9TeZJiO1WSfxDa9U2iKI3T0yb5rhb9ScaSuiHBglFaPtXuLfeLlgxX2LOT8zfLXyemRBD0d2PDHKJSc8W_ihO_OdpCiTp-n9gXRmaWI4U5W7LHrU8pnX7H90u81ZHnCDwGn5-Vj/s1600/SansTalk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="347" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilTYYfD9TeZJiO1WSfxDa9U2iKI3T0yb5rhb9ScaSuiHBglFaPtXuLfeLlgxX2LOT8zfLXyemRBD0d2PDHKJSc8W_ihO_OdpCiTp-n9gXRmaWI4U5W7LHrU8pnX7H90u81ZHnCDwGn5-Vj/s400/SansTalk.png" width="400" /></a></div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-81455228852076477582016-06-29T00:05:00.000-07:002016-06-30T01:39:43.584-07:00Security Headers Part 1
Part one is XFS and what is trying to be conveyed is one silly risk and one real risk of not setting the X-Frame-Options header correctly on pages where sensitive transactions take place. The example referenced below is just that, an example (hence the .info domain); no malicious intent and there is no actual compromise of any of the sites used in the examples. One big TODO is to get the pages to dynamically resize based on browser size so the UI elements in the parent frame are smoother. Time is short and what should have taken weeks to fit into the schedule took months so here it is:
<br />
<br />
<a href="http://evilsite.info/Headers/XFS/xfs.html">evilsite.info</a>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-16026737861557084852016-05-22T20:54:00.000-07:002016-06-02T21:51:08.763-07:00SANS SEC542 August 2016 - Denver, CODenver Colorado!<br />
<br />
Join me the week of August 8th, 2016 (Monday through Saturday) to learn all about web app pen testing with SEC542 and also prepare for
the GIAC GWAPT (Web Application Penetration Tester) certification exam.<br />
<br />
This is a six day Community SANS event, complete with an attack/lab VM, books, all class materials and a full day of Capture the Flag (CTF) on day six to really solidify all of the concepts and tools.<br />
<br />
One of my favorite things about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below. <br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/sec542-denver-20jun2016-serge-borso">www.sans.org</a><br />
<br />
We will be covering all of these topics and more:<br />
<ul>
<li>Interception Proxies</li>
<ul>
<li>ZAP (Zed Attack Proxy)</li>
<li>Burp Suite</li>
</ul>
<li>SQL Injection</li>
<li>Logic Attacks</li>
<li>Metasploit</li>
<li>Reflected Cross-Site Scripting (XSS)</li>
<li>Stored Cross-Site Scripting (XSS)</li>
<li>Local File Inclusion (LFI)</li>
<li>Command Injection </li>
<li>Remote File Inclusion (RFI)</li>
<li>Cross-Site Request Forgery (XSRF)</li>
<li>Command scanning tools</li>
<li>Manual scanning techniques</li>
</ul>
<div>
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:</div>
<div>
<ul>
<li>General security practitioners</li>
<li>Penetration testers</li>
<li>Ethical hackers</li>
<li>Web application developers</li>
<li>Website designers and architects</li>
</ul>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-2376287810796469212016-04-28T21:15:00.001-07:002016-04-28T21:15:32.447-07:00SANS SEC542 May 2016 - Columbus, OHColumbus Ohio! Seats are still available for more students, please use the link to register below.<br />
<br />
This one week class starts Monday May 16th, 2016 and runs through Saturday May 21st and prepares students for
the GIAC GWAPT (Web Application Penetration Tester) certification exam.<br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/community/event/sec542-columbus-may-2016">www.sans.org/</a><br />
<br />
We will be covering all of these topics and more:<br />
<ul>
<li>Interception Proxies</li>
<ul>
<li>ZAP (Zed Attack Proxy)</li>
<li>Burp Suite</li>
</ul>
<li>SQL Injection</li>
<li>Blind SQL Injection</li>
<li>Reflected Cross-Site Scripting (XSS)</li>
<li>Stored Cross-Site Scripting (XSS)</li>
<li>Local File Inclusion (LFI)</li>
<li>Remote File Inclusion (RFI)</li>
<li>Cross-Site Request Forgery (CSRF/XSRF)</li>
</ul>
<div>
If your job description falls under one of these categories and you have an affinity towards information security, or a desire to learn how attackers are able to compromise web applications, then this class is for you:</div>
<div>
<ul>
<li>General security practitioners</li>
<li>Penetration testers</li>
<li>Ethical hackers</li>
<li>Web application developers</li>
<li>Website designers and architects</li>
</ul>
</div>
Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-73865907002534446492016-03-31T15:44:00.000-07:002016-03-31T15:44:21.067-07:00Security Headers Part 0I am starting a series of postings that will focus on common security related HTTP headers such as:<br />
<br />
<ul>
<li>Strict-Transport-Security</li>
<li>Content-Security-Policy</li>
<li>X-Frame-Options</li>
<li>And several others... </li>
</ul>
My purpose for this is to communicate the risk associated with not implementing each one, why they matter and show some real-world scenarios centered around each of these headers. The first posting will be focused on X-Frame-Options and Clickjacking; I hope to have it written and posted in the next couple of weeks. Stay tuned. Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0tag:blogger.com,1999:blog-2059619926966266961.post-91884315937753894652016-01-06T20:22:00.000-08:002016-01-06T20:22:30.052-08:00SANS SEC 542 Mentor Class March 2016 - Denver MetroSeats are still available for more students!<br />
<br />
This 10 week class starts Tuesday March 8th, 2016 and runs once per week for two hours each Tuesday night. This class will prepare students for the GIAC GWAPT (Web Application Penetration Tester) certification exam.<br />
<br />
SECURITY 542: Web App Penetration Testing and Ethical Hacking: <a href="https://www.sans.org/mentor/class/sec542-denver-mar-2016-serge-borso">www.sans.org/</a><br />
<br />
Meeting once a week after work, you'll learn many facets of Web App Penetration Testing and Ethical Hacking in this popular Mentor multi-week format, with time between classes to absorb and master the material. You also receive downloadable MP3 files of the full class being taught to enhance your studies.<br />
<br />
Course Details:<br />
Class Title: SEC 542: Web App Penetration Testing and Ethical Hacking<br />
Start Date: Tuesday March 8th, 6:00-8:00pm<br />
Location: Aurora Colorado<br />
Instructor: Mentor Serge Borso<br />
Registration details: <a href="https://www.sans.org/registration/register.php?conferenceid=43572">www.sans.org/register</a><br />
<br />
Each week your local Mentor, Serge Borso, will highlight the key concepts you need to know and assist you with hands on labs and exercises. From attack methodology to server-side discovery, you'll be learning the exploits and tools needed to protect your systems from attack. The class wraps up with a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site. Each week you will be able to show off your knowledge the next day at the office!<br />
<br />
The SANS Mentor Program is HERE! Starting soon in the Denver metro area, conveniently located in Aurora near I-225 and Parker Road. Train Local and Save on the same material taught at SANS six-day conferences.Shttp://www.blogger.com/profile/05947005780275344728noreply@blogger.com0