Apr 19
Aqui estão os videos relativos a confraria de 19-04-2012:
18:30
Apr 18
Hoje, dia 18-04-2012, começou em Lisboa a Microsoft Innovation Week, sendo o primeiro dia dedicado a developers. Apesar de normalmente conferências para programadores não serem direccionadas a pessoal da área de segurança, Tiago Henriques da PTCoreSec resolveu prestar uma visitinha muito rápida a esta conferência.
O evento deu inicio por volta das 9:00 da manhã no novo edifício da Microsoft no Parque das nações, com a típica espera pela finalização do registo de todas as pessoas que estavam presentes, e distribuição de umas capas que continham um pequeno poster ( LINK) com as diferentes APIs que irão estar presentes no Windows 8. Chegadas as 9:30 eu e o resto das pessoas (cerca de 50) fomos encaminhados para a sala onde seriam realizadas as primeiras apresentações. Esta sala como todo o resto da “nova casa” da Microsoft está desenhada bem ao estilo Português com tecidos a decorarem as paredes e as cadeiras bem coloridas.
A primeira apresentação foi realizada pelo Tiago Andrade e Silva, com o titulo “The Windows 8 Platform for Metro Style Apps”, ele mostrou múltiplas demos de Windows 8 a ser usado no tablet e num portátil.
O que se segue são algumas fotos dessa apresentação e que mostram números interessantes e algumas das ideias em que Microsoft vai apostar no Windows 8.
Do ponto de vista de segurança, foram mencionados alguns pontos interessantes como:
Como mencionado, a visita a esta conferência foi apenas de passagem e muito rápida, mas deu para ver o grande investimento que a Microsoft está a por no Windows 8.
PS: Também é bom mencionar que durante a apresentação de cerca de 40 minutos, pelo menos apareceram 4 soft crashes ou application crashes.
Mar 29
Segue-se o video gravado ontem na confraria, a qualidade não é a melhor mas foi a minha primeira vez a gravar uma conferência.
Note to self: Para a próxima meter a camera mais longe das colunas apesar de não ter um microfone XPTO, o som no fim do auditorio é bom o suficiente.
Encontram-se 2as linhas pretas no meio do ecran, dou fix nisso quando chegar a casa.
Podem sacar AQUI os scripts e apresentações realizados pelo Luís!
Mar 14
Hi everyone,
I’d like to introduce David Rook as a guest on the PTCoreSec blog, David, who is most widely known on the internet as SecurityNinja ( http://securityninja.co.uk ), currently works for a company called Realex Payments( http://realexpayments.com ) as Application Security Lead.
Dave has been a speaker at multiple conferences (DEFCON, BSides London, Black Hat, Bsides Vegas, IRISH Con, etc…), he is currently a Microsoft Most Valuable Professional in the area of Developer Security.
This blog post is intended to look as if it was a face to face interview (conversation) even though it was performed over email.
PTCoreSec: Hi Dave, thank you for taking some time to answer our questions. First I would like to ask you, what got you into security? And specifically into the area of Application Security?
SecurityNinja:
I’d love to give you an answer which makes it sound like I was destined to work in Application Security but I can’t! I have been using computers since I was a young child, I remember playing on Spectrum computers before I even started school. When I first left school I worked in the offices of a physical security company which included looking after their IT needs. I used to look at the physical security controls we implemented and how we decided which ones to recommend to a client and looking back this was real life threat modeling. It wasn’t really until I moved into an IT management position in a property company at 19 that I realised security was important. We had offices and remote users all over the world and they required the same access to company data and emails as the users in the head office. This raised questions in my mind around how to enable this access securely and from then on I was bitten by the security bug!
As for application security that came about almost by accident, I didn’t plan to move into application security! As the company continued to grow we realised a dedicated application security role was required so I moved into that about 4 years ago and the rest is history
PTCoreSec: Apart from a big interest in security which ones are the other major skills you look for when interviewing someone for a job position?
SecurityNinja:
I look for people who are passionate about security which might sound obvious but if that passion doesn’t exist I genuinely don’t think someone can become really good at security. I agree with something Dan Geer pointed out in a recent post that “cybersecurity is the most intellectually difficult profession on the planet” which means you need smart, passionate people. On top of that I’m looking for someone who thinks differently about the world they live in and the things they see/interact with in and who aren’t afraid to ask “why?”.
PTCoreSec: If someone asked you “What is the best advice you can give me to enter the security business?” which would it be?
SecurityNinja:
I think my best advice is often the advice people don’t want to hear because I don’t think anyone should go from school/college/university and straight into a security role. I can only repeat what myself and Mark Hillick said in a recent blog post on Security Ninja:
“MH: I’ve probably answered that earlier to a degree but I believe that it’s better to learn by doing. For example, a lot of my life has been spent administering networks or systems, therefore, I know that sometimes for the sake of speed, performance, reliability, resilience or business reasons, the most secure solution is not the right way to go. On the other hand, I’ve seen folk who go straight into security, they’re brainwashed, accept nothing less than the 100% solution and end up getting a ‘waiver’ indemnifying them of any responsibility when they don’t get their way. It’s not a very constructive, team attitude, encouraging the development/infrastructure teams not to engage security. I ultimately believe that working outside security helps your understand technology better and also enables you to empathise with others more whilst it clearly provides you with more ‘skillz’ before moving into security.
SN: I’m not really sure where to start my input here so I will just jump in and say I agree that ideally no one’s first IT job should be in security. I feel that if you haven’t had experience in other roles first such as systems administration/networking/development you aren’t ready for anything other than junior security roles. The first half of my career was spent in non security roles learning a lot about networking and systems administration which I felt was the perfect grounding for a person looking to move into security roles. The problem is that we have companies needing security positions filled with very few people either having this experience or willing to accept they are not going to step straight into a senior security position.
I think security people who lack this real world experience are very easy to spot because every finding/issue is a blocker, every SQL Injection finding makes them run around like Chicken Little shouting the sky is falling. You can help prevent this by having something like the infosecmentors program internally but even then it’s far from ideal.”
PTCoreSec: What is your opinion when it comes to security certifications? And which ones are, in your opinion the top 3 of certifications?
SecurityNinja:
I honestly don’t think they add much to the industry. I cannot dispute that they help people get their foot in the door with HR departments in certain companies but you have to ask yourself whether a place that has the likes of CISSP/CEH/Others as a hard requirement is the right place for you. I know some of them can be very useful but my time as a certifications tutor really tainted all certifications for me. I actually shouldn’t say all certifications because I do think some of them are very good and very useful, mainly anything that requires hands on exercises to be completed. If I had to name three I think are useful I’d have to say pick three from the any of the Offensive Security certs and SANS GIAC certs such as the GCIH.
PTCoreSec: Lots of people read your blog and know that you’ve built a tool called Agnitio, can you give us a quick description of what is Agnitio, how can the tool be used and who should use it ?
SecurityNinja:
Yeah sure, so Agnitio is a tool developed to make security code reviews structured and repeatable regardless of who completes the review. The core part of the application is the security code review checklist which was inspired by the use of checklists in other industries and the checklist manifesto book from Dr Atul Gawande. I also hated producing the outputs that we really needed like reports, metrics and audit trails so I made the tool do that work for us. The tool has evolved since v1.0 to include more checklist items and more functionality such as the keyword matching module and decompiling Android applications. I recently introduced the concept of dynamic checklists (i.e. you get only the checklist items relevant to the profile being reviewed) and this will be expanded on for v3.0. I plan to begin work on v3.0 once I have finished writing my content for the upcoming O’Reilly Practical Software Security book!
PTCoreSec: You’ve also started to work on a new software project called Windows Phone App Analyser, what made you target the Win Phone App market, instead of perhaps focusing deeper in the Android and/or Iphone market?
SecurityNinja:
It doesn’t really target the Windows Marketplace it was developed to help application security professionals analyse WP7 apps. I’d already got Android and iPhone app analysis covered in Agnitio from v2.0 onwards and after developing a couple of WP7 apps I wanted to make a tool to help the security guys and girls! Ideally it would have been added to an Agnitio release (and will be in a future release) but I wanted to test a few ideas I had for Agnitio without doing an Agnitio release. An Agnitio release involves quite a bit of testing because a lot of people use the tool nowadays, with the WPAA I knew I could quickly throw something out there and test some new things that will be included in future Agnitio versions. The two bigger features would be far more accurate keyword matching which reduces the false positives and the ability to launch third party analysis tools but consume their outputs all in one tool.
PTCoreSec: While we are at it, mobile phone: Android? Iphone? Win Phone?
Tablet: Ipad 2 , Android Tablet, Blackberry playbook?
Laptop: Windows, Linux, OS X?
SecurityNinja:
Phones: iPhone and a Windows Phone 7 phone
Tablet: Android
Laptop: OS X
PTCoreSec: If you had to try to predict which ones are going to be the top 5 big threats of 2012 which ones would they be in your opinion?
SecurityNinja:
I don’t make security predictions like the ones you asked for. I could roll out the same ones other security people have made for many years (year of mobile malware etc) but plenty of other security professionals have already done that! Look back at the big security issues in 2011 and look back at what security professionals predicted for 2011, how many were right?
I will predict is that the problems we haven’t addressed from the past will continue to be a problem in 2012. The likes of SQL Injection, ineffective anti virus and so on aren’t going anywhere soon no matter which buzzword (Cloud, mobile etc) you attach to them.
PTCoreSec: Dave thank you for answering all of our questions, and we look forward to meeting you at some conference soon.
SecurityNinja:
Not a problem, speak soon!
Feb 29
O Tiago Henriques da PTCoreSec foi hoje (29/02/2012) falar a confraria de segurança, encontra-se em seguida o pacote que contem:
Utilizado na apresentação
Efectue o download AQUI
Para quais queres duvidas email: balgan (at) ptcoresec.eu
Jan 30
For some time now I’ve been searching for some way to integrate firewall log alerts into my desktop.
A few years back (before I started to truly enjoy iptables) I was a firestarter user, I even wrote a handy script for it and really liked the notifications it provided.
Nowadays I crave for iptables scripts and can’t stand firestarter interface, this became a problem. How could I have an elegant way of being notified of potential threats without depending on email alerts or log watching?
Using conky seemed a cool alternative and its scripting capabilities were indeed a solution for my problem. But soon realized I always keep windows maximized and didn’t notice conky on the background, alerts were ignore and the idea buried.
Yesterday, as I watched a pop-up notification on my screen another idea just poped (pun intended).
There should be a way to easily parse iptables logs matching them with known attack signatures, and guess what?… There is, it’s called psad, and you probably remember me talking about it a few posts ago.
Using psad to parse the log files you can be notified of network attacks in real time, the end of the tiresome log surfing after the attack already taken place.
The only thing we’re missing is the notification, well, that was easier than I thought because psad can execute a script every time an attack is detected.
Keeping this in mind, and using notify-send capabilities, we can have a visual notification spawned by psad upon an attack detection.
Here follows the configurations I’ve used to turn the idea into reality.
(I’ve tested it on xubuntu, but this would be identical on other distros)
First the software requirements:
apt-get install iptables-persistent
apt-get install libnotify-bin
apt-get install psad
For the iptables configuration you may use my template and tailor it to you likings.
Edit the psad configuration file /etc/psad/psad.conf and change the following variables accordingly, I’ll explain each one of them.
Change USERNAME with your system username.
# This variable is just for future reference, because we want visual notifications, not email
EMAIL_ADDRESSES USERNAME@machine.lan;
# Here we disable the email notifications
ALERTING_METHODS noemail;
# Point the following variable to the correct log file (redhat based systems should be /var/log/messages)
IPT_SYSLOG_FILE /var/log/syslog;
# DISPLAY and XAUTHORITY are used to define the where and how to connect to the user desktop
# The nofify-send flags are as follows:
# -t tells to keep the notification visible until closed by the user
# -i path to an image that will be displayed on the notification
# -c what is the type of the notification
# Then follows the title and the body of the notification, SRCIP is a psad internal variable that hold the source IP of the attacker
EXTERNAL_SCRIPT DISPLAY=:0.0 XAUTHORITY=/home/USERNAME/.
Xauthority notify-send -t 0 -i /usr/share/icons/Tango/ scalable/emblems/emblem- important.svg -c network “Firewall Alert” “Intrusion detected from SRCIP”;
# You want to always be notified each time an attack is detected, even if it is from the same source
EXEC_EXT_SCRIPT_PER_ALERT Y;
All done, save the file.
Deploy your iptables rules policy, restart psad daemon, go to another machine on the network and run nmap against your host, for example a simple syn scan without pinging:
nmap -P0 -sS 192.168.1.66
You should now be presented with something like this on your host:
Special thanks to Michael Rash for psad and the one of my favorite books Attack Detection and Response with iptables, psad, and fwsnort.
Post written by Joel Bastos, a copy of this article can be found on his blog.
Nov 20
Welcome to the PTCoreSec web page.
