Category Archives: Security

Breakerfaire – Tuesday 11th of December 2012

4 Replies

The next Breakerfaire meeting will take place at DoesLiverpool on the 11th of December, 2012 at 7pm. There will be one talk, followed by drinks and networking.

Bio:
Paul is a self-confessed security geek and enthusiastic speaker. Since graduating in Electronic Engineering at Durham University in 2009, he has worked for several security organisations and kept up a personal interest in security.

Abstract:
Title: “Beneath the surface: an introduction to Information Hiding”

In this talk, we discuss three types of information hiding; steganography, fingerprinting and covert channels. We consider the motivations behind the use of each technique, real world examples and the fundamental problems with such techniques.

 

Breakerfaire Liverpool – 21/08/2012

Leave a reply

The next Breakerfaire will be held at 7pm next Tuesday at DoesLiverpool. This is located on the fourth floor of the Gostins building on Hanover Street. There will be a talk followed by networking and socializing at a nearby pub.

We hope to see you there.

Why is my blog selling boner pills? – Ian Williams

A question that is asked far too much these days. Ian will be exploring the dark side of web applications and demonstrating the mistakes that are often made by developers when setting up web sites. Set from a beginners perspective Ian will show what tools are available to us to learn about common web application security problems and practice these offensive techniques against live sites, all without being sent to prison for hacking!
tl;dr Update your WordPress.
Ian Williams was an Information Security Analyst for RWE IT UK, the IT provider for RWEnpower and one of the largest utilities in the UK but is currently transitioning to work as a Pen Tester, Researcher and QSA at Xiphos Research Labs. Ian is rather new to the security field having moved into it from a career in Wintel server support and software packaging and distribution. Always being one to have a tinker with things security had become a natural fit with Ian obtaining GIAC certifications GCIH, GAWN and GPEN in the 5 years since he started in the industry. Ian is a passionate supporter of the UK information security community and is working to pay back all of the support he has gained in the last 5 years by organising local security meetings such as OWASP and 2600 and speaking as a new commer to the industry, in the hope it will encourage more of the IT tinkerers to come over to the dark side!
Ian Williams GCIH GAWN GPEN
OWASP Birmingham Board Member

Twitter         @fishermansenemy
Blog            http://fishermansenemy.com

Why You SHOULD Bother With Security Training, Why It Matters, and What We Can Do About It.

1 Reply

Dave Aitel of Immunity Inc stirred up a bit of controversy (to put it incredibly mildly) a week or so ago when he write a blog post for CSO Online called “Why you shouldn’t train employees for security awareness“. His post can be summed up as follows:

  • Security training is hard.
  • It’s not always effective.
  • Harden your infrastructure instead.

All valid points, and if you want to read a rebuttal, you’re in luck. Here’s three, by Boris Sverdlik (@jadedsecurity) , Scot Terban(@krypt3ia) and Iftach Ian Amit (@iiamit). They’re also all rather nice people and you should follow them on Twitter.

Now, let’s address the first two points:

  • Security Training is hard.

I’m not going to argue here. I was once in the position of having to write security awareness training manuals for an organization of 5000 people, the entirety of which were non-technical. It sucks. It’s hard to get people to care about these sorts of things if they aren’t pre-disposed to having a coronary attack whenever they see a suspicious log item on Splunk. It’s not easy.

Another huge issue is the massive gulf of perspective when it comes to security issues. We see a social engineer; They see someone who they can help and make have a better day. We see an essential security update; They see an inconvenience which will disrupt their workflow. We see a laughably insecure password; They see one that’s easy to remember. Until we address this massive dissonance in perspective, we’re not going to get anywhere.

In the 90′s, Will Smith was always banging on about how parents don’t understand. Well, in security, it’s like that, except with everyone else. Scary, isn’t it?

However, with that said, there’s something we can do about it… Read on for more information.

  •  It’s not always effective.

I’m not sure if I agree or disagree here. I honestly think it depends on the quality of the training material and who gives the training. I’ve seen some pretty terrible security training before. Trainers who chose to scare, rather than educate*. I’ve seen people leave seminars and training sessions scared of security breaches, but with no palpable tools or methodologies to prevent attacks. That is insanity. It’s also counter productive.

It’s also useful to remember that your training is only going to be as effective as it is fit for purpose. If your material is dry, boring and not relevant, people are going to immediately forget it. It won’t sink in, and people will continue using insecure practices.

That said, if your security training rocks, then yeah. I imagine it’ll be pretty effective. Barclays Bank have some great security awareness manuals where they try to teach people about infosec concepts through poetry, short stories, comedy and art. Now, isn’t that actually awesome? Seriously. It’s called ‘Consequences’ and you can read about it here. I have a copy, and I can vouch for how awesome it is.

So, here’s a question for you? How can we make security training engaging, entertaining and effective?  How can we make it so that it sinks in, and we don’t have to get our message across by clumsily relying on fear.

In recent years, we’ve had this revolution in how we teach. We’re no longer confined to the old paradigms, which was limited to dull, drab textbooks which had to be memorized. We now know that there are better ways. We now know that people learn best vicariously through storytelling**. We now know that gamification is a great way to teach, and ensure that people remain motivated and committed to learning. Gamification has been used by companies like DuoLingo and CodeAcademy to teach languages and software development. And you know what? It works.

So, why on earth aren’t we utilizing these techniques in all our training material? It makes absolutely no sense. So, let’s fix that.

I want to create a training manual that is entertaining. That is accessible. That is effective. That can be translated into any language and be deployed into any environment. And I want you to help me make it.

I’ve created a github project. It’s a clean slate. There’s nothing there. You have absolute creativity. Want to write a short allegory about password security? Go nuts. Want to write a poem about flash drive encryption? Do it! Want to make a comic about social engineering? Sure! The aim is to have something that once completed can be compiled and shared freely, and deployed within organizations at no cost to them.

Got a question? Email me. Or tweet me. I’m not fussy.

* Incidentally, the clown I’m referring to described ‘PHP’ as a hacker tool used to steal personal information. I’m not even kidding.
** Want proof? Read the first chapter of Harry Potter. What’s the road that the Dursleys live on? What’s their son called? Who does Mr Dursley work for? I bet you got at least two of these right. Likewise, try reading the first chapter of the PostgreSQL reference manual. How much do you remember? Exactly.

Breakerfaire – Community Driven Security Event in Liverpool

Leave a reply

Breakerfaire – Noun – Singular

  • A shameless pun on Makerfaire which will undoubtedly result in me being sent a cease and desist for blatant trademark infringement.
  • A community driven security conference in Liverpool, England, held monthly at DoesLiverpool.

So, yeah. I’ve decided to run a regular security meetup, and the chaps at DoesLiverpool have been foolish kind enough to host it. Now, you may be wondering why you should bother when you have OWASP  Leeds and OWASP Birmingham within spitting distance*. Well, here’s a good few reasons why.

  • DoesLiverpool is full of genuinely nice, smart people.
  • It’ll have some amazing talks from members of the community, as well as respected security professionals who are at the top of their game.
  • The venue is as central as you can possibly be, and within walkiing distance of some of the best bars, pubs, clubs and restaurants Liverpool has to offer.
  • The venue has lasers. Does OWASP have lasers? No. Enough said.
  • Talks will be about the entire spectrum of security, from secure development, to web application hacking to network security.
  • Dude. Lasers!

If you’re convinced, the inaugural session is at 7pm on the 17th of July, and will be held on the third tuesday of each month. Any questions, just pop me an email or send me a tweet.

* Spitting distance provided that you are able to project saliva with the force of an artillery cannon.

Fedora 17 Hardening – Part 4 – I Got The Power

3 Replies

So, in Linux, it’s not just users that have administrative privileges. Applications can have privileges that the end user may not have. It’s generally a good idea to regularly check what applications have superuser permissions and quarantine any application that you do not recognize.

Discovery can be done by invoking the following command:

find / -type f -perm /u=s,g=s

To quarantine the suspicious app, copy it to somewhere where it cannot be executed (think a flash drive, or FTPing it on to a box where it cannot execute) and delete the original.

Later I will show you how to set up your machine to check app permissions on a regular basis and have the results emailed to you with a useful utility called Cron.

If you liked this article and need the use of a VPS, Linode come highly recommended. They’re cheap, fast, have incredible support and support a huge range of Linux distributions including Fedora, Centos and Ubuntu. And, if you sign up with this referral link, I get a nice kickback. Everybody wins!