Try and figure out what is it and when you do - share!
Friday, June 30, 2017
Holiday Puzzler
I came across this at secureset.com (can't find the link anymore though):
Try and figure out what is it and when you do - share!
Try and figure out what is it and when you do - share!
Sunday, May 21, 2017
SANS SEC542 August 2017 - Detroit, MI
Detroit Michigan! SANS SEC542 - Web Application Penetration Testing and Ethical Hacking is coming soon...
Class begins on August 7, 2017 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.
This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.
This is certainly one of my favorite classes and I think one of the best parts about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org
We will be covering all of these topics and more:
Class begins on August 7, 2017 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.
This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.
This is certainly one of my favorite classes and I think one of the best parts about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org
We will be covering all of these topics and more:
- Interception Proxies
- ZAP (Zed Attack Proxy)
- Burp Suite
- SQL Injection
- Logic Attacks
- Metasploit
- Reflected Cross-Site Scripting (XSS)
- Stored Cross-Site Scripting (XSS)
- Local File Inclusion (LFI)
- Command Injection
- Remote File Inclusion (RFI)
- Cross-Site Request Forgery (XSRF)
- Automated web app vulnerability scanning tools
- Manual scanning techniques
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:
- General security practitioners
- Penetration testers
- Ethical hackers
- Web application developers
- Website designers and architects
Sunday, March 26, 2017
SANS SEC542 May 2017 - Chicago, IL
Chicago! SANS SEC542 - Web Application Penetration Testing and Ethical Hacking is coming soon...
Class begins on May 15, 2017 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.
This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.
This is certainly one of my favorite classes and I think one of the best parts about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org
We will be covering all of these topics and more:
Class begins on May 15, 2017 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.
This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.
This is certainly one of my favorite classes and I think one of the best parts about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org
We will be covering all of these topics and more:
- Interception Proxies
- ZAP (Zed Attack Proxy)
- Burp Suite
- SQL Injection
- Logic Attacks
- Metasploit
- Reflected Cross-Site Scripting (XSS)
- Stored Cross-Site Scripting (XSS)
- Local File Inclusion (LFI)
- Command Injection
- Remote File Inclusion (RFI)
- Cross-Site Request Forgery (XSRF)
- Automated web app vulnerability scanning tools
- Manual scanning techniques
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:
- General security practitioners
- Penetration testers
- Ethical hackers
- Web application developers
- Website designers and architects
Saturday, February 25, 2017
SANS SEC542 April 2017 - Chicago, IL
Chicago! SANS SEC542 - Web Application Penetration Testing and Ethical Hacking is coming soon...
Class begins on April 3rd, 2017 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.
This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.
This is certainly one of my favorite classes and I think one of the best parts about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org
We will be covering all of these topics and more:
Class begins on April 3rd, 2017 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.
This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.
This is certainly one of my favorite classes and I think one of the best parts about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org
We will be covering all of these topics and more:
- Interception Proxies
- ZAP (Zed Attack Proxy)
- Burp Suite
- SQL Injection
- Logic Attacks
- Metasploit
- Reflected Cross-Site Scripting (XSS)
- Stored Cross-Site Scripting (XSS)
- Local File Inclusion (LFI)
- Command Injection
- Remote File Inclusion (RFI)
- Cross-Site Request Forgery (XSRF)
- Automated web app vulnerability scanning tools
- Manual scanning techniques
If your job description falls under one of these categories and you have an affinity towards information security or a desire to learn how attackers are able to compromise web applications, then this class is for you:
- General security practitioners
- Penetration testers
- Ethical hackers
- Web application developers
- Website designers and architects
Saturday, January 28, 2017
Upcoming Security Events
It's a busy time in the world of information security, here are some upcoming events to be on the lookout for - two local events in Denver and two farther away:
- RSA Conference 2017 - February 13th-17th in San Francisco. This is a huge event with a large amount of great speakers.
- SnowFROC - March 16th: Call for papers/speakers is open and sponsorship opportunities are also still available. This is the Front Range OWASP conference and it's going to be awesome!
- RMISC May 9th-11th: This also has an open call for presentations and should be a great time.
- SANS SEC542 April 3rd-8th in Chicago. This is top notch offensive security training with a focus on web applications.
Saturday, November 19, 2016
SANS SEC542 January 2017 - Toronto, Ontario (Canada)
Web Application Penetration Testing and Ethical Hacking: SANS SEC542 is coming to Toronto Ontario Canada!
The fun starts on January 9th, 2017 (Monday through Saturday) when we will learn all about web app pen testing while preparing for the GIAC GWAPT (Web Application Penetration Tester) certification.
This is a six day Community SANS event, complete with an attack/lab virtual machine, books, all class materials and a full day of Capture the Flag (CTF) on day six to drive home all of the concepts and tools.
One of my favorite things about this class is the quality and quantity of the hands-on labs; we cover everything from Burp Suite and Command Injection to XSRF and Zap! You keep the tools, you keep the custom VM, you keep the labs and you gain great experience... more details are below.
SECURITY 542: Web App Penetration Testing and Ethical Hacking: www.sans.org
We will be covering all of these topics and more:
- Interception Proxies
- ZAP (Zed Attack Proxy)
- Burp Suite
- SQL Injection
- Logic Attacks
- Metasploit
- Reflected Cross-Site Scripting (XSS)
- Stored Cross-Site Scripting (XSS)
- Local File Inclusion (LFI)
- Command Injection
- Remote File Inclusion (RFI)
- Cross-Site Request Forgery (XSRF)
- Automated web app vulnerability scanning tools
- Manual scanning techniques
If your job description falls under one of these categories
and you have an affinity towards information security or a desire to
learn how attackers are able to compromise web applications, then this
class is for you:
- General security practitioners
- Penetration testers
- Ethical hackers
- Web application developers
- Website designers and architects
Tuesday, October 25, 2016
Why everything you know about passwords is wrong
Why is everything that you know about passwords wrong?
The short answer is because of articles like this: http://www.businessinsider.com/hacker-strong-password-2016-4
A better answer is, I don't know who you are: You may be an infosec professional, a password guru or someone else in the know and therefore the title of this post does not apply; but for the mass majority of people it certainly does.
The problem in the aforementioned article (and others like it) that this post will focus on is the concept of, "It's something that's easy to remember. All you gotta do is remember that sentence." That notion, that type of thinking qualifies as an epic failure. If you, as a user/consumer, are remembering passwords for websites (or apps, or accounts or whatever) you are failing miserably.
Let's skip right to the solution, then delve into reality afterwards...
The right way to deal with passwords is to use a password vault/safe - a software solution to store all of your passwords in an encrypted file. Period.
But not quite... Because nothing in the world of information security is ever that simple. First you need education, which takes time, effort, and motivation. Without this crucial first step you will be doomed even/especially with an encrypted password vault at your disposal.
What a password vault does is provides a way for people to store DIFFERENT, COMPLEX, AUTOMATICALLY GENERATED passwords for you. You never have to remember another password for any account that you login to*. This is the big secret, the capitalized words above are what make a password "strong". Your passwords have to be different for every account you use, they have to be crazy complex, generated for you and you can't remember them.
That is the whole point. Never remember passwords!*
Depending on the account in question, my password is 90+ characters and I have no idea what it is; I copy it from my password vault and paste it into the password field on a website to login.
Here is the reality that most of us face:
How many different accounts do you login to? How many of those accounts do you use the same password for? Do you have accounts that you have not changed the password for in years? How did/do you come up with a "strong" password?
Many people have 1-3 dozen different accounts that they may login to throughout the course of a year, think about it: Social networking (3-9 accounts) Mail#1, Mail#2, Banking, Retail, Credit card website, Hotel(s), Flight/Travel, Business, (corporate not included), Phone, Computer, Entertainment apps, and many more.
Different people have different methods for how they handle passwords as well. Some people reuse the same password for all of these examples, others modify it slightly for each account while other people try hard to create passwords they think will help protect themselves from compromise. If you fall into any of these categories you are fighting a losing battle. As humans we are not great at remembering complex, random strings of characters. Of course there are methods to help with this (Thanks Randall): https://xkcd.com/936/
Some more Reality: Attackers aren't trying to crack your passwords in most cases. They are guessing your horribly weak password successfully or using a password reset feature to change it. In the case of the 500 million Yahoo! accounts being breached, attackers may actually be trying to crack your password as opposed to just guessing it. The website/account/application plays a huge role in this portion of your account security. Will Gmail lock out your account after x failed login attempts? How about Apple or Twitter or your online bank? What is stopping an attacker from trying to login to your account using thousands of passwords until one eventually works? Does the application/website even support complex passwords? Too often I come across a website that only supports some special characters or only 12 characters maximum for passwords.
What you do to protect your account plays an incredibly important role as well. Things such as using 2-factor authentication for sensitive accounts if it's an option.
I mentioned password vaults/safes and education at the beginning of this post and I would be remiss if I didn't clearly communicate the risk as well. Having all passwords in one file, no matter how well it's encrypted, is still a single point of failure... And there are several ways to fail with this method. If you choose to pursue a password vault/safe as an option for storing passwords be advised that you have to know how to use it, what it will do, it's limitations, and the downsides of which there are several; making this not the ideal choice for a novice user. This type of solution is not for everyone and can increase risk in some scenarios. *And of course having a vault/safe usually still requires that you remember at least one password; ironic isn't it?
You may hear that, "Passwords are dead" or that passwords are antiquated and while they are certainly not ideal, passwords are in fact here to stay for the foreseeable future. With this in mind it's important to come up with a better solution for dealing with passwords safely, the good news is that there are several good solutions currently available. Take your time, get educated and ask questions, here are a few ideas to get your research started:
http://lmgtfy.com/?q=password+vaults
The short answer is because of articles like this: http://www.businessinsider.com/hacker-strong-password-2016-4
A better answer is, I don't know who you are: You may be an infosec professional, a password guru or someone else in the know and therefore the title of this post does not apply; but for the mass majority of people it certainly does.
The problem in the aforementioned article (and others like it) that this post will focus on is the concept of, "It's something that's easy to remember. All you gotta do is remember that sentence." That notion, that type of thinking qualifies as an epic failure. If you, as a user/consumer, are remembering passwords for websites (or apps, or accounts or whatever) you are failing miserably.
Let's skip right to the solution, then delve into reality afterwards...
The right way to deal with passwords is to use a password vault/safe - a software solution to store all of your passwords in an encrypted file. Period.
But not quite... Because nothing in the world of information security is ever that simple. First you need education, which takes time, effort, and motivation. Without this crucial first step you will be doomed even/especially with an encrypted password vault at your disposal.
What a password vault does is provides a way for people to store DIFFERENT, COMPLEX, AUTOMATICALLY GENERATED passwords for you. You never have to remember another password for any account that you login to*. This is the big secret, the capitalized words above are what make a password "strong". Your passwords have to be different for every account you use, they have to be crazy complex, generated for you and you can't remember them.
That is the whole point. Never remember passwords!*
Depending on the account in question, my password is 90+ characters and I have no idea what it is; I copy it from my password vault and paste it into the password field on a website to login.
Here is the reality that most of us face:
How many different accounts do you login to? How many of those accounts do you use the same password for? Do you have accounts that you have not changed the password for in years? How did/do you come up with a "strong" password?
Many people have 1-3 dozen different accounts that they may login to throughout the course of a year, think about it: Social networking (3-9 accounts) Mail#1, Mail#2, Banking, Retail, Credit card website, Hotel(s), Flight/Travel, Business, (corporate not included), Phone, Computer, Entertainment apps, and many more.
Different people have different methods for how they handle passwords as well. Some people reuse the same password for all of these examples, others modify it slightly for each account while other people try hard to create passwords they think will help protect themselves from compromise. If you fall into any of these categories you are fighting a losing battle. As humans we are not great at remembering complex, random strings of characters. Of course there are methods to help with this (Thanks Randall): https://xkcd.com/936/
Some more Reality: Attackers aren't trying to crack your passwords in most cases. They are guessing your horribly weak password successfully or using a password reset feature to change it. In the case of the 500 million Yahoo! accounts being breached, attackers may actually be trying to crack your password as opposed to just guessing it. The website/account/application plays a huge role in this portion of your account security. Will Gmail lock out your account after x failed login attempts? How about Apple or Twitter or your online bank? What is stopping an attacker from trying to login to your account using thousands of passwords until one eventually works? Does the application/website even support complex passwords? Too often I come across a website that only supports some special characters or only 12 characters maximum for passwords.
What you do to protect your account plays an incredibly important role as well. Things such as using 2-factor authentication for sensitive accounts if it's an option.
I mentioned password vaults/safes and education at the beginning of this post and I would be remiss if I didn't clearly communicate the risk as well. Having all passwords in one file, no matter how well it's encrypted, is still a single point of failure... And there are several ways to fail with this method. If you choose to pursue a password vault/safe as an option for storing passwords be advised that you have to know how to use it, what it will do, it's limitations, and the downsides of which there are several; making this not the ideal choice for a novice user. This type of solution is not for everyone and can increase risk in some scenarios. *And of course having a vault/safe usually still requires that you remember at least one password; ironic isn't it?
You may hear that, "Passwords are dead" or that passwords are antiquated and while they are certainly not ideal, passwords are in fact here to stay for the foreseeable future. With this in mind it's important to come up with a better solution for dealing with passwords safely, the good news is that there are several good solutions currently available. Take your time, get educated and ask questions, here are a few ideas to get your research started:
http://lmgtfy.com/?q=password+vaults
Subscribe to:
Comments (Atom)