AppSec USA 2015 Teaser
With the OWASP 12th Annual Security Conference, AppSec USA 2015, right around the corner (September 22nd – September 25th), I wanted to give a teaser about a one-day class that I am co-teaching on September 23rd. A fellow Omaha OWASP chapter board member, Fred Donovan, and I are teaching a “Hands-on Website Exploitation with Python” class to teach the use of Python for Web application testing.
For the one-day training class, I chose to develop, from scratch, a vulnerable Web application to use in our discussions. Fred decided he wanted to tackle the scripting. The vulnerable Web application contains a number of commonly-found, and not so commonly-found, issues — all of which a little custom Python coding should be able to take advantage.
For the rest of this blog, I’m going to give an example of writing a script which will... read more >
Mirror, mirror on the wall, what does my website reveal about my business to all? #WarStoryWednesday
If you run a business, chances are that you have a presence on the Internet. A website is considered a critical aspect of a business. Establishing your product or business online is a must. As important as a website is, it is also a vulnerability point for your business – think about the Ashley Madison hack. Hackers can use your website to conduct reconnaissance and then infiltrate your company. When contracted to conduct a penetration test, white hat hackers try to simulate the actions of an actual attacker.
If your organization has a Web presence, this war story is for you.Website Pen Test War Story: Background
In a recent penetration test, I was hired to simulate an attack against a company that handled PII (personal identifiable information). The company wanted the test to simulate an attack from external sources (online), to be followed... read more >
CEO fraud cost more than $1 billion worldwide
Last week, the FBI released an alert warning businesses about Business Email Compromise (BEC) scams that are a growing threat to businesses worldwide. Also known as “CEO fraud,” these scams target business executives in attempts to initiate unauthorized wire transfers. Losses to individual victims range from hundreds of thousands of dollars to millions of dollars. The FBI figures suggest that the average loss per victim is $100,000.
Losses from these scams, however, can be significantly more. Blogger Brian Krebs reports that Ubiquiti Networks reported a $46.7 million loss because of a BEC scam. In another scam, an Omaha, Nebraska-based company with 800 employees lost $17.2 million after a company executive wired money overseas after receiving emails ordering the transfers.
BEC scams are nothing new. The FBI began keeping statistics on them in 2013.Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013,... read more >
Clean those APIs with SOAP, give them some REST and put them through the ringer
Since I first began my career as an Offensive Security consultant for Solutionary Professional Security Services, I’ve seen a massive shift in how Web applications are developed and deployed. Mainly, this shift has occurred in the increased development and use of REST-based and SOAP-based Web services. With this shift, comes the need to mature security testing processes — and I am not the only person to realize this need.
I currently sit on the Omaha OWASP chapter board, along with several very intelligent application development and application security practitioners. There have been several discussions around a more advance and mature security-testing processes for Web services. Through our discussions, we were able to create the OWASP Web Service Security Testing Cheat Sheet.
In this... read more >
Typically, when it comes to gauging how a year is shaping up regarding cybersecurity, it is a straight count of breached enterprises or records exposed that contain sensitive personally identifiable information. Some years, there are more breaches than others, just as some years there are breaches involving bigger household names and other years are relatively ho-hum. Rarely do we see pivotal years in cybersecurity, but I’m convinced we are witnessing one now.
One of the biggest years, for me, was 1999. It became crystal clear that year that all of the Web applications that were sprouting up were exposing backend systems and databases to new attack vectors, and highly vulnerable endpoints never designed to be connected to the Internet were connecting in great numbers.
This year is looking like another pivotal year. It’s not that the number of breached records isn’t high – it is – and it certainly matters, especially if your record is... read more >
The goon, the bash and the uneducated
As I sit here now and try to recollect my memories from DEF CON 23, I find myself saying, “What just happened?” There was just so much, so quick, over what felt like a very short three days in Las Vegas.
Being my first time attending, a naive “noob” to this event, my eyes couldn’t be wide enough. I tried to plan everything out— and it failed spectacularly. For future DEF CON goers, my first piece of advice would be to plan a very loose schedule, and expect to change it around at some point.
I walked into the venue without any friends or co-workers and decided to rough it at the convention from day one. Well, I’d like to tell you that I didn’t get lost in the vendors/tracks section for 30 minutes, but I did. Therefore, my second piece of advice is to bring or find someone who is familiar with the event and buddy up with... read more >
Users not following security policies, putting themselves and their employers at risk
This week, hackers calling themselves Impact Team released two data dumps that are allegedly from the recent breach of cheating website Ashley Madison and its parent company Avid Life Media (ALM). The first data dump contained approximately 10 Gb of data, mostly user information dating back to 2008. This data includes names, street addresses, e-mail addresses and transaction amounts for the 32 million Ashley Madison users. The data also includes financial details, physical descriptions as well as users’ sexual preferences and fantasies.
Many government and corporate domains are included in the data. This means that many users used their work e-mail address to access this site. Most organizations have clear security policies in place that prohibit the use of work e-mails and equipment to access any websites that are not work related. A... read more >