Saturday, November 19, 2016

SANS SEC542 January 2017 - Toronto, Ontario (Canada)


Web Application Penetration Testing and Ethical Hacking: SANS SEC542 is coming to Toronto Ontario Canada!

The fun starts on January 9th, 2017 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.

This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.

One of my favorite things about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.

SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org

We will be covering all of these topics and more:
  • Interception Proxies
    • ZAP (Zed Attack Proxy)
    • Burp Suite
  • SQL Injection
  • Logic Attacks
  • Metasploit
  • Reflected Cross-Site Scripting (XSS)
  • Stored Cross-Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Command Injection
  • Remote File Inclusion (RFI)
  • Cross-Site Request Forgery (XSRF)
  • Automated web app vulnerability scanning tools
  • Manual scanning techniques
If your job description falls under one of these categories and you have an affinity towards information security or a desire to learn how attackers are able to compromise web applications, then this class is for you:
  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers and architects

Tuesday, October 25, 2016

Why everything you know about passwords is wrong

Why is everything that you know about passwords wrong?

The short answer is because of articles like this: http://www.businessinsider.com/hacker-strong-password-2016-4

A better answer is, I don't know who you are: You may be an infosec professional, a password guru or someone else in the know and therefore the title of this post does not apply; but for the mass majority of people it certainly does.

The problem in the aforementioned article (and others like it) that this post will focus on is the concept of, "It's something that's easy to remember. All you gotta do is remember that sentence." That notion, that type of thinking qualifies as an epic failure. If you, as a user/consumer, are remembering passwords for websites (or apps, or accounts or whatever) you are failing miserably.

Let's skip right to the solution, then delve into reality afterwards...

The right way to deal with passwords is to use a password vault/safe - a software solution to store all of your passwords in an encrypted file. Period.

But not quite... Because nothing in the world of information security is ever that simple. First you need education, which takes time, effort, and motivation. Without this crucial first step you will be doomed even/especially with an encrypted password vault at your disposal.

What a password vault does is provides a way for people to store DIFFERENT, COMPLEX, AUTOMATICALLY GENERATED passwords for you. You never have to remember another password for any account that you login to*. This is the big secret, the capitalized words above are what make a password "strong". Your passwords have to be different for every account you use, they have to be crazy complex, generated for you and you can't remember them.

That is the whole point. Never remember passwords!* 

Depending on the account in question, my password is 90+ characters and I have no idea what it is; I copy it from my password vault and paste it into the password field on a website to login.
 
Here is the reality that most of us face:

How many different accounts do you login to? How many of those accounts do you use the same password for? Do you have accounts that you have not changed the password for in years? How did/do you come up with a "strong" password?

Many people have 1-3 dozen different accounts that they may login to throughout the course of a year, think about it: Social networking (3-9 accounts) Mail#1, Mail#2, Banking, Retail, Credit card website, Hotel(s), Flight/Travel, Business, (corporate not included), Phone, Computer, Entertainment apps, and many more.

Different people have different methods for how they handle passwords as well. Some people reuse the same password for all of these examples, others modify it slightly for each account while other people try hard to create passwords they think will help protect themselves from compromise. If you fall into any of these categories you are fighting a losing battle. As humans we are not great at remembering complex, random strings of characters. Of course there are methods to help with this (Thanks Randall): https://xkcd.com/936/




Some more Reality: Attackers aren't trying to crack your passwords in most cases. They are guessing your horribly weak password successfully or using a password reset feature to change it. In the case of the 500 million Yahoo! accounts being breached, attackers may actually be trying to crack your password as opposed to just guessing it. The website/account/application plays a huge role in this portion of your account security. Will Gmail lock out your account after x failed login attempts? How about Apple or Twitter or your online bank? What is stopping an attacker from trying to login to your account using thousands of passwords until one eventually works? Does the application/website even support complex passwords? Too often I come across a website that only supports some special characters or only 12 characters maximum for passwords.

What you do to protect your account plays an incredibly important role as well. Things such as using 2-factor authentication for sensitive accounts if it's an option.

I mentioned password vaults/safes and education at the beginning of this post and I would be remiss if I didn't clearly communicate the risk as well. Having all passwords in one file, no matter how well it's encrypted, is still a single point of failure... And there are several ways to fail with this method. If you choose to pursue a password vault/safe as an option for storing passwords be advised that you have to know how to use it, what it will do, it's limitations, and the downsides of which there are several; making this not the ideal choice for a novice user. This type of solution is not for everyone and can increase risk in some scenarios. *And of course having a vault/safe usually still requires that you remember at least one password; ironic isn't it?
 
You may hear that, "Passwords are dead" or that passwords are antiquated and while they are certainly not ideal, passwords are in fact here to stay for the foreseeable future. With this in mind it's important to come up with a better solution for dealing with passwords safely, the good news is that there are several good solutions currently available. Take your time, get educated and ask questions, here are a few ideas to get your research started:

http://lmgtfy.com/?q=password+vaults



Thursday, September 29, 2016

SANS SEC542 November 2016 - Anaheim, CA

Anaheim California...

Home of Disney Land, the Anaheim GardenWalk, Angel Stadium (so much more) and now Web Application Penetration Testing and Ethical Hacking via SANS SEC542!

The fun starts on November 7th, 2016 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.

This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.

One of my favorite things about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.

SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org

We will be covering all of these topics and more:
  • Interception Proxies
    • ZAP (Zed Attack Proxy)
    • Burp Suite
  • SQL Injection
  • Logic Attacks
  • Metasploit
  • Reflected Cross-Site Scripting (XSS)
  • Stored Cross-Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Command Injection
  • Remote File Inclusion (RFI)
  • Cross-Site Request Forgery (XSRF)
  • Automated web app vulnerability scanning tools
  • Manual scanning techniques
If your job description falls under one of these categories and you have an affinity towards information security or a desire to learn how attackers are able to compromise web applications, then this class is for you:
  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers and architects

Thursday, July 14, 2016

SANS @Night

I presented at an @Night talk this evening at SANS Rocky Mountain 2016, the topic: Implementing Secure HTTP Headers.  Thanks to everyone that showed up, as usual the slides tell only a portion of the story. I did use evilsite.info to demo XFS and show some X-Frame-Options outcomes as well as X-XSS-Protection in action; which was interesting. Unfortunately the primary Banking site I had been using for clickjacking demonstrations is no longer servicing requests - so I will need to update that at some point. At any rate, the slides are here: Presentation



Wednesday, June 29, 2016

Security Headers Part 1

Part one is XFS and what is trying to be conveyed is one silly risk and one real risk of not setting the X-Frame-Options header correctly on pages where sensitive transactions take place. The example referenced below is just that, an example (hence the .info domain); no malicious intent and there is no actual compromise of any of the sites used in the examples. One big TODO is to get the pages to dynamically resize based on browser size so the UI elements in the parent frame are smoother. Time is short and what should have taken weeks to fit into the schedule took months so here it is:

evilsite.info

Sunday, May 22, 2016

SANS SEC542 August 2016 - Denver, CO

Denver Colorado!

Join me the week of August 8th, 2016 (Monday through Saturday) to learn all about web app pen testing with SEC542 and also prepare for the GIAC GWAPT (Web Application Penetration Tester) certification exam.

This is a six day Community SANS event, complete with an attack/lab VM, books, all class materials and a full day of Capture the Flag (CTF) on day six to really solidify all of the concepts and tools.

One of my favorite things about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.

SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org

We will be covering all of these topics and more:
  • Interception Proxies
    • ZAP (Zed Attack Proxy)
    • Burp Suite
  • SQL Injection
  • Logic Attacks
  • Metasploit
  • Reflected Cross-Site Scripting (XSS)
  • Stored Cross-Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Command Injection
  • Remote File Inclusion (RFI)
  • Cross-Site Request Forgery (XSRF)
  • Command scanning tools
  • Manual scanning techniques
If your job description falls under one of these categories and you have an affinity towards information security or a desire to learn how attackers are able to compromise web applications, then this class is for you:
  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers and architects

Thursday, April 28, 2016

SANS SEC542 May 2016 - Columbus, OH

Columbus Ohio! Seats are still available for more students, please use the link to register below.

This one week class starts Monday May 16th, 2016 and runs through Saturday May 21st and prepares students for the GIAC GWAPT (Web Application Penetration Tester) certification exam.

SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org/

We will be covering all of these topics and more:
  • Interception Proxies
    • ZAP (Zed Attack Proxy)
    • Burp Suite
  • SQL Injection
  • Blind SQL Injection
  • Reflected Cross-Site Scripting (XSS)
  • Stored Cross-Site Scripting (XSS)
  • Local File Inclusion (LFI)
  • Remote File Inclusion (RFI)
  • Cross-Site Request Forgery (CSRF/XSRF)
If your job description falls under one of these categories and you have an affinity towards information security, or a desire to learn how attackers are able to compromise web applications, then this class is for you:
  • General security practitioners
  • Penetration testers
  • Ethical hackers
  • Web application developers
  • Website designers and architects

Thursday, March 31, 2016

Security Headers Part 0

I am starting a series of postings that will focus on common security related HTTP headers such as:

  • Strict-Transport-Security
  • Content-Security-Policy
  • X-Frame-Options
  • And several others...
My purpose for this is to communicate the risk associated with not implementing each one, why they matter and show some real-world scenarios centered around each of these headers.  The first posting will be focused on X-Frame-Options and Clickjacking; I hope to have it written and posted in the next couple of weeks. Stay tuned.

Wednesday, January 6, 2016

SANS SEC 542 Mentor Class March 2016 - Denver Metro

Seats are still available for more students!

This 10 week class starts Tuesday March 8th, 2016 and runs once per week for two hours each Tuesday night. This class will prepare students for the GIAC GWAPT (Web Application Penetration Tester) certification exam.

SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org/

Meeting once a week after work, you'll learn many facets of Web App Penetration Testing and Ethical Hacking in this popular Mentor multi-week format, with time between classes to absorb and master the material. You also receive downloadable MP3 files of the full class being taught to enhance your studies.

Course Details:
Class Title: SEC 542: Web App Penetration Testing and Ethical Hacking
Start Date: Tuesday March 8th, 6:00-8:00pm
Location: Aurora Colorado
Instructor: Mentor Serge Borso
Registration details: www.sans.org/register

Each week your local Mentor, Serge Borso, will highlight the key concepts you need to know and assist you with hands on labs and exercises. From attack methodology to server-side discovery, you'll be learning the exploits and tools needed to protect your systems from attack. The class wraps up with a Capture the Flag event where the students will be able to use the methodology and techniques explored during class to find and exploit the vulnerabilities within an intranet site. Each week you will be able to show off your knowledge the next day at the office!

The SANS Mentor Program is HERE! Starting soon in the Denver metro area, conveniently located in Aurora near I-225 and Parker Road. Train Local and Save on the same material taught at SANS six-day conferences.